
ISSN. 1363-6650 



NOVEMBER 1997 
Issue 11 



FORENSIC COMPUTING, 



r m. 



Gcomfeffiiils 



Comment 


page 2 


News 


page 3 


Product news 


page 8 


Threat of hackers 


page 10 


Court reports 


page 1 1 


Feature: Law and 


page 12 


secure computing 




MS-DOS partitions 


page 18 


Hoax viruses 


page 19 


Forensic Q&A 


page 20 


Space trashers 


page 22 


Books 


page 22 


Notice board 


page 23 



Advisory Board COmmeilt 



• John Austen 

Computer Crime Consultants Ltd & Royal 
Holloway College, University of London, UK 

• Jim Bates 

Computer Forensics Ltd, UK 

° Alexander Dumbill 

King Charles House Chambers, UK 

• Ian Hayward 

Department of Information Systems, Victoria 
University of Technology, Australia 

• Robert S Jones 

Computer Related Crime Research Centre, 
Queen Mary & Westfleld College, 
University of London, UK 

• Nigel Layton 

Quest Investigations Pic, UK 

• Stuart Mort 
DRA, UK 

• Michael G Noblett 

Computer Analysis Response Team, FBI, US 

° Howard Schmidt 

SSA, Director of US Air Force Office of 
Special Investigations Computer Forensics 
Laboratory 

° Gary Stevens 

Ontrack Data International Inc, US 

6 Ron J Warmington 
Citibank NA, UK 

• Edward Wilding 

Network Security Management Ltd, UK 

Editorial Team 



• Paul Johnson 
Editor 

• Sheila Cordier 
Managing Editor 

International Journal of 
Forensic Computing 

Third Floor, Colonnade House, 
High Street, Worthing, 
West Sussex, UK 
BN11 1NZ 

Tel: +44 (0) 1903 209226 
Fax: +44 (0) 1903 233545 
e-mail : ij fc @pavilion. co.uk 
http : www. forensic-computing.com 



Computers and telecommunications 
technology have cut the size of our planet 
to ribbons. 

Mail and data can be sent instantly 
across the globe at the press of a button 
and users in different continents can chat 
to each other for the cost of a local phone 
call. 

And the phenomenon of the Internet 
allows an incredible level of contact and 
access to information unheard of until 
only a few years ago, creating the largest 
database and library anywhere. 

The computer community is truly a 
global village, making a mockery of 
physical distances and individual borders 
in any country. 

Pretty obvious and prosaic? Maybe, 
but the message is still to get through to 
a lot of investigators and police officers 
working in the field of forensic comput- 
ing across the world. 

Too many still have a "my back yard" 
outlook, and will only look as far as the 
crimes in their immediate jurisdiction and 
territory. This is an outdated concept in 
policing, with the huge risk that many 
criminals will go uncaught or unchal- 
lenged. 

What is needed is greater co-opera- 
tion between everyone in law enforce- 
ment groups, from those working on com- 
puter investigations down to the officers 
on the beat. 

If a cyber crime is spotted by one 
police department but the suspect is from 
a different geographical area, then this 
vital information has to be passed on to 
the relevant authorities. 

This is already happening to great 
effect by the more switched on groups. 
For instance, paedophile Jean Paul 
Hansford was investigated, prosecuted 
and jailed in the UK after a tip off from 



the FBI in the US. The FBI contacted 
Dorset Police after monitoring files con 
taining child pornography that were sen 
to an e-mail address in the UK. 

Without the communication and co 
operation, the case might never hav< 
come to light. But there are probabb 
hundreds of thousands of paedophile^ 
who remain unchallenged just because in 
formation has not been shared. 

If the criminals can make use of the 
technology to communicate with eacl 
other, why can't the good guys who an 
trying to catch them? 

And similarly, police across the work 
need to keep up with the latest develop- 
ments in computer crime, investigatior 
and law worldwide, even if they are no 
faced with those specific problems ir 
their own territory at the current time. 

The global computer community 
moves fast, and problems and solutions 
in one country will quickly move to oth- 
ers within years, months or even days. 

For instance, much of the news car- 
ried in the Journal looks at events in the 
US, where computer crime is now ar 
everyday occurrence and techniques anc 
legislation are being hustled in to try tc 
deal with it. 

As with many other facets, from ham- 
burgers to handguns, the US leads in the 
levels of computer misuse and othei 
countries are sure to follow this path. 

Does this matter to the investigatoi 
as far afield as the UK, Finland, Asia oi 
Australia? It surely does, because law 
enforcement groups in those countries 
have the chance to examine the real is- 
sues, both technical and academic, so 
they can be ready when the time comes. 

Hiding your head in the sand is fine 
for an ostrich, but it could be disastrous 
for forensic computing. 



All rights reserved. Without prior permission of the Publisher, no part of this publication may be reproduced, stored in a 
retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise. 

Articles are published on the understanding that publication is not taken to imply endorsement of the views therein by the 
Publisher or Editorial Team or members of the Advisory Board of the Journal. Courses of action described in the Journal in 
relation to one set of circumstances will not necessarily be appropriate for a different set of circumstances. 

Accordingly, readers should take their own independent specialist advice before proceeding on any project or course of action 
and any failure to do so is at their own risk. No responsibility is assumed by the Publisher or Editorial Team or members of the 
Advisory Board for any loss or damage to persons or property as a matter of contract, negligence (save in respect of liability 
for death or personal injury arising out of any negligence) or otherwise, or from any use or operation of any methods, products, 
instructions or ideas contained in the material herein. Whilst all reasonable care is taken, neither the Publisher, nor the Editorial 
Team, nor members of the Advisory Board can be held legally responsible for any errors in articles or listings. Upon submis- 
sion of an article, the author will be requested to transfer copyright of the article to the Publisher. 



2 November 1997 



International Journal of Forensic Computing 



Action over alleged 
Set pirates 

A lawsuit has been filed against two 
)eople in the US accusing them of putting 
opyrighted software on the Internet for 
)thers to download. 

The Software Publishers Association, 
copyright protection watchdog, is tak- 
ng the legal action on behalf of seven of 
ts member companies., including Adobe, 
Maris, Corel and Intuit. 

Before filing the suit, the SPA sub- 
poenaed two Internet service provider 
Irms for the names of the site operators 
offering the material through two Web 
sites. 

Both sites provided bootleg serial 
lumbers for installing pirate software and 
software piracy tools designed to get 
i round technical protection measures. 

The addresses of the sites, which the 
ISP have now removed or blocked for 
general public access, were 
www.velocity.net/~overlord and 
chisel.toolcity.net/~overlord. 

Filed in the US District Court for the 
Western District of Pennsylvania, the suit 
came after an exhaustive seven month in- 
vestigation tracking each site and moni- 
toring the alleged infringing material on 
each site. 

More than 53,000 people, visited the 
sites during that time period, and all of 
them had access to the material being 
offered. The sites provided an extensive 
list of serial numbers for about 4,500 

oftware products, some of which sell for 
: housands of dollars. When printed out 
in hard copy format, the list runs to 78 
single-spaced pages of serial numbers. 
Director ofNorth America anti-piracy 

} eter Beruk said: "These Internet sites, 
md thousands of others, have become a 
place to fence and acquire pirate soft- 
ware. 

"Bootleg serial numbers enable peo- 
ple to use pirated software downloaded 
from other sites, and software piracy tools 
let them make unauthorised copies. 

"This is only the tip of the iceberg. 
This lawsuit is the first of its kind alleg- 
ing this type of infringement, a type of 
piracy which has become far too com- 
non on the Internet. 

"In fact, a recent search for illegal 



software on the Net revealed nearly 
17,000 different sites offering infringing 
material. 5 ' 

Net used by racists 

A report by the Anti-Defamation 
League says that the Internet is being in- 
creasingly used by racists, anti-Semites, 
anti-government extremists and others 
who spread their hate. 

ADL members fear that hate is "pol- 
luting the Internet" and that offenders can 
now "spew their hate easily, cheaply and 
often deceptively, reaching numbers they 
could only have dreamed about before 
the telecommunications revolution." 

In the ADL report, called "High Tech 
Hate: Extremist Use of the Internet", of- 
ficials say groups such as the Ku Klux 
Klan go online to recruit and spread 
propaganda. 

ADL's website at www.adl.org has 
information on identifying hate groups 
and fighting them. 

Anti-spam war 

Internet service provider America 
Online is continuing its campaign against 
unsolicited e-mail by taking alleged cul- 
prits to court. 

AOL filed a suit in Virginia, US, 
against Vernon Hale and Prime Data 
Worldnet Systems Inc seeking to block 
what it described as "get rich fast" spam 
mailings which it said have resulted in 
millions of unsolicited e-mails being sent 
to its subscribers. 

And AOL said Hale and Prime Data 
Worldnet Systems have used unsolicited 
mass e-mail to sell two programs, Flood- 
gate and Stealth, to other would be 
spammers. 

Floodgate can gather e-mail ad- 
dresses from various sources on the In- 
ternet, while Stealth can provide mass 
mailings with false return addresses in 
order to evade filters and other measures 
designed to block spamming. 

Associate general counsel for AOL, 
Randall Boe, said he wants to know how 
many spam letters have been sent out and 
how many copies of the software have 
been sold on to others. 

He said that the aim of the suit is to 
"try to find out exactly how many pieces 
of mail he has sent to us and exactly how 



much he has damaged our service, and 
ultimately to get an order barring him 
from continuing to send unsolicited mail 
through the AOL service." 

A spokesman for AOL said: "Spam 
is an annoying intrusion for users of the 
Internet and the result is aggravation and 
slower e-mail service. 

"The days of no accountability for 
spammers are over. We will make sure 
that spammers are held accountable to the 
law." 

The latest suit comes after AOL an- 
nounced it was to sue Las Vegas-based 
Over the Air Equipment Inc from send- 
ing bulk e-mails to its members. And in 
February, a federal court in Philadelphia 
ruled on an AOL-filed suit and ordered 
CyberPromotions Inc to stop using ficti- 
tious and unregistered domain addresses 
to send unsolicited e-mail to AOL sub- 
scribers. 

Man jailed for Inter- 
net abuse 

A man dubbed the "Internet Romeo" 
was sentenced to more than five years in 
prison in the US for using an online chat 
room to solicit sex with a teenager. 

Keir Fiore, 21, from Manchester, 
New Hampshire, pleaded guilty to two 
counts of interstate transportation of a 
minor for illegal sex after using the Net 
to talk to a 13 -year-old girl in Salem. 

Prosecutors said Fiore flirted with the 
teenager and then convinced her to run 
away with him. The pair were eventually 
found by police after a national search. 

Fiore read a statement out to the court 
apologising to the teenager and her fam- 
ily. He said: "The Internet is dangerous 
for young children who use it without 
parental supervision." 

He was sentenced by US District 
Judge Joseph DiClerico to five years and 
three months in jail. 

Prostitutes online 

Police in Minnesota, US, have used 
the Internet to publish pictures of alleged 
female prostitutes and those who are ac- 
cused of being their customers. 

Officers in the St Paul Police Depart- 
ment said the 12 colour photographs were 
of people arrested for engaging in pros- 
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titution within the last 18 months. 

The site carries the disclaimer that 
"all persons are considered innocent un- 
til proven guilty in a court of law." 

Police in the town now carry digital 
cameras and will file pictures along with 
their written arrest reports. The web page 
will be updated weekly and includes the 
names, hometowns and ages of the 
women, and the same information for the 
men as well as their car make and model, 
registration plate and the road where they 
were arrested. 

A spokesman for the police depart- 
ment said: "The photos and descriptions 
in this section will help St Paul residents 
identify and alert police to this criminal 
activity. 

"Residents are tired of prostitutes ply- 
ing their trade on their sidewalks. They 
do not want their girls and women treated 
with disrespect by customers coming into 
their neighbourhoods. 

"And they do not want their children 
to view acts of prostitution enacted in 
public places at every hour of the day and 
night." 

The Internet site is at http.7/ 
www.stpaul.gov/police 

Pager messages 
intercepted 

A news agency in the US has admit- 
ted breaking the law by intercepting 
pager messages from the police and sell- 
ing tips on to newspapers and television 
stations. 

Breaking News Network has pleaded 
guilty, along with its owners and general 
manager, of illegally intercepting mes- 
sages from public agencies, including the 
New York Police Department. 

BNN, based in Fort Lee, New Jersey, 
pleaded guilty to one count of illegally 
manufacturing and possessing software 
and cloned pagers programmed to inter- 
cept police and fire department pager 
messages. 

Owners of BNN, Steve and Robert 
Gessman, of Cliffside Park, New Jersey, 
and general manager Vinnie Martin, of 
North Bergen, New Jersey, also pleaded 
guilty to the same charges. BNN faces a 
maximum fine of $500,000, while the 
three individuals face a maximum pen- 
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alty of one year in prison and a $10,000 
fine each. 

US Attorney for the Southern District 
of New York, Mary Jo White, said the 
arrests and convictions against BNN 
mark the first-ever prosecutions and con- 
victions of unlawful interceptions of 
messages sent to pagers. 

She said: "These arrests should serve 
as a wake-up call to all who would be 
tempted to snoop on the electronic com- 
munications of others." 

Charges still are pending against a 
fourth individual, Jeffrey R. Moss, of 
Manhattan, a former "dispatcher" for 
BNN, for the unlawful interception of 
paged messages sent to, among others, 
the NYPD, NYFD, the New York City 
Office of Emergency Management, 
Emergency Medical Services, a New 
York City Commissioner, and a New 
York City District Attorney's Office. 

Moss also was charged with the un- 
lawful possession of a computer software 
package called "Message Tracker" that 
allowed him to monitor messages sent to 
those pagers and others. 

The arrests grew out of a NYPD in- 
vestigation called Operation Pagergate 
and after first uncovering the alleged 
scheme, the NYPD teamed up with the 
FBI's Electronic Crimes Task Force. 

White said that in early 1997, Martin 
gave a confidential informant, who 
worked as a BNN "dispatcher", a cloned 
pager that was programmed to illegally 
receive intercepted pager messages. 
Gessman then instructed the informant to 
use the cloned pager in connection with 
his duties for BNN. 

According to White, the informant 
gave the cloned pager to a Secret Serv- 
ice agent, and an analysis revealed that it 
was a cloned NYPD pager also pro- 
grammed to intercept messages being 
sent to an individual in the Office ofNew 
York City Mayor Rudolph Giuliani. 

Along with being a "wake up" call to 
criminals, White also said the case was a 
message to the public, as well as the busi- 
ness and law enforcement communities 
of America. 

She said: "If you are using a paging 
system, your communications may not be 
secure. No governmental agency or busi- 
ness is immune from this illegal moni- 
toring." 



Hong Kong decency 
code 

The Hong Kong government and In- 
ternet service providers are issuing a code 
of practice in a bid to stop indecent anc 
obscene material online. 

Officials hope the measures will pre- 
vent users placing and sending illegal pic- 
tures and text, including pornography. 

The Hong Kong Internet Service Pro- 
viders Association, which has 40 mem- 
bers, said it would block web sites which 
were found to contain obscene materia] 
once it received a complaint. 

A spokesman for the society said: 
"We have consulted all our members in 
drawing up the code of practice and have 
obtained their full support in its imple- 
mentation. 

"All our members agree that thev 
have an important social responsibility 
to fulfil." 

Swiss man arrested in 
porn sweep 

A computer assistant at Basle Univer- 
sity in Switzerland has been arrested and 
charged with possession of Internet por- 
nography. 

The 31 -year-old was targeted after a 
tip-off led police to examine the univer- 
sity Web site server, which was shut down 
while officials checked it. When police 
raided the man's home they found fur- 
ther pornographic images on his own PC. 

Possession of child pornography is 
not an offence under Swiss law, but the 
man could be charged with transmitting 
the online material and if found guilty 
sentenced to up to three years in prison. 

Law to handle cyber 
signatures 

Legislation to clarify the use of so- 
called digital signatures could be intro- 
duced across the US to boost Internet 
business. 

Senator Bob Bennet told a hearing of 
the Senate Banking Committee's finan- 
cial services subcommittee that federal 
action was needed to prevent individual 
states introducing their own, possibly 
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uconsistent, laws which might stifle 
mline commerce. 

He said: "Internet transactions do not 
espect state boundaries and it may be 
iifficult for parties to determine which 
state law governs a particular transac- 
lon." 

Digital signatures, which include 
lentifying codes attached to electronic 
documents, are used to verify and authen- 
:icate e-mail and contracts over the Net. 

About 14 states already have laws 
governing electronic agreements, but 
some financial industry leaders fear that 
contradictory standards could badly 
hinder trade. 

Alfred Pollard, senior director of the 
Bankers Roundtable, said: "State laws 
that conflict with one another as enacted 
or that may conflict under regulatory or 
judicial interpretation, run counter to the 
critical need for certainty in the authen- 
tication process." 

Senator Bennet has not released spe- 
cific details of his proposal but said the 
bill would be introduced early next year. 

'internet filfertnig and 
^content meeting 

Delegates to a conference in the US 
heard about the latest developments in 
the fight to curb the worst excesses of 
the Net. 

The meeting, sponsored by Digital 
Equipment and called Balancing the 
Scales, was held in Washington DC and 
focused on the rights, responsibilities and 
technologies at the heart of the debate. 

It also examined the next generation 
of solutions to protect children and in- 
crease the scope of business carried out 
on the Web. 

Director ofbusiness development for 
Digital's AltaVista search engine Abe 
Hirsch said: "Our goal is to look at solu- 
tions for Internet content filtering that go 
beyond simply protecting children from 
objectionable, sexual material. 

"A new approach is needed to do 
more than just protect children from in- 
appropriate material. Solutions must also 
assist in greater productivity and allow 
many diverse communities on the Inter- 
net to view the Web in accordance to their 
interests or unique points of view." 



Web users tricked by 
trade marks 

Website managers are breaking the 
law to lure Net users to their pages, warns 
the UK Institute of Trade Mark Agents. 

According to the IoTMA, there are 
many thousands of breaches of trade 
marks hidden in the subscripts of 
websites. These "invisible" words can- 
not normally be seen but act as identify- 
ing tags when a user searches for spe- 
cific words or phrases. 

Trade mark experts at the Institute say 
many businesses are using their competi- 
tors' names buried in their own websites 
to increase the number of page hits and 
steal trade. 

Ian Buchan, of the Institute, said: "Be 
warned. In the US this activity is now the 
subject of litigation under trade mark law. 
Companies are being sued for trademark 
infringement and unfair competition. 

"What happens in business litigation 
in the US today invariably happens here 
tomorrow." 

The Institute advise all businesses to 
carefully police the use of their trade 
mark names on the web, and warns that 
those abusing the system could face be- 
ing sued and paying sizeable damages. 

Mr Buchan added: "As more organi- 
sations, particularly smaller businesses, 
begin to trade on the Internet, this level 
of protection will become more impor- 
tant than ever. 

"Don't let your competitors steal a 
march on you, and don't let them capi- 
talise on your name and investment." 

Thieves grab millions 
in software 

Raiders broke into printers working 
for Microsoft in the UK and stole CD- 
ROMs and authenticity certificates worth 
up to £30 million. 

No actual finished product was sto- 
len, but the thieves got away with more 
than 100,000 CD-ROM discs plus docu- 
mentation which could be used to create 
pirated software packages. 

A gang of four masked men, one 
armed, attacked and overpowered two 
security guards at Thompson Litho, in 
East Kilbride in Scotland, a company that 



is authorised to produce official Micro- 
soft products. 

The gang escaped with 200,000 au- 
thenticity certificates and copies of MS- 
Office, Encarta and other applications, 
all of which could be used, company of- 
ficials claim, to create up to £30 million 
worth of illegal software. 

Net censoring blasted 

New legislation in the US aimed at 
banning online material deemed "harm- 
ful to minors" would run roughshod over 
the law, according to the American Civil 
Liberties Union. 

The ACLU fear that the law would 
run counter to a landmark US Supreme 
Court decision affirming free speech on 
the Internet. 

The legislation, introduced by Sena- 
tor Dan Coats, an original sponsor of the 
Communications Decency Act struck 
down by the Supreme Court in June, 
would amend section 223 of the Com- 
munications Act of 1934. 

It aims to "establish a prohibition on 
commercial distribution on the World 
Wide Web of material that is harmful to 
minors, and for other purposes". 

The bill, referred to the Senate Com- 
mittee on Commerce, Science, and Trans- 
portation, states that "whoever in inter- 
state or foreign commerce in or through 
the World Wide Web is engaged in the 
business of the commercial distribution 
of material that is harmful to minors shall 
restrict access to such material by per- 
sons under 17 years of age " 

Offenders would face fines up to 
$50,000, and up to six months in jail. 

The bill also requires Web sites to use 
a verified credit card, debit account, adult 
access code, or adult personal identifi- 
cation number to determine if a person 
accessing the site is over 17. 

ACLU national staff attorney Ann 
Beeson said: "By claiming that the bill 
address only Web sites involved in com- 
mercial distribution, Senator Coats says 
he is 'hunting with a rifle,' but in fact has 
lobbed another virtual grenade attack into 
the heart of the Internet." 

Unlike the CD A, Coats' bill only ap- 
plies to Web sites, and not to chat rooms, 
e-mail or news groups. 

Beeson added that under Coats' bill, 
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any business "merely displaying material 
without first requiring a credit card or 
other proof of age could be found liable 
under the statute, even if no actual sale is 
involved. 

She added that there also are "seri- 
ous constitutional problems" as well, with 
the bill's definition of "harmful to mi- 
nors". 

Arrests in clone 
phone scams 

A US man has been arrested and 
charged with operating a clone phone 
scheme. 

Juan Pena, from Lynn, Massachusetts, 
who was previously arrested on a crimi- 
nal complaint, was indicted by a federal 
grand jury and charged with violating 
federal telecommunications fraud law. 

According to the indictment, Pena not 
only trafficked in clone phones, but pos- 
sessed sophisticated computer equipment 
in order to complete the cloning process. 

A cloned phone refers to one in which 
the numbers assigned to a legitimate cel- 
lular telephone subscriber are illegally 
obtained by the doner, and then pro- 
grammed, usually using special compu- 
ter software, into another cellular phone. 

That phone is then sold by the doner 
to a third party and when the purchaser 
of the cloned phone makes calls, those 
calls are then billed to the legitimate cel- 
lular telephone subscriber's account. 

According to US Attorney Donald 
Stern, fraud costs cellular carriers more 
than $650 million a year nationwide. 

Stern said Pena was also charged with 
possessing a scanning receiver, compu- 
ter hardware and software and a "copy 
cat" box to illegally obtain telecommu- 
nication services. 

If convicted, Pena faces maximum 
penalties ofup to 15 years imprisonment 
and a fine ofup to $250,000. The case 
was investigated by the US Secret Serv- 
ice and is being prosecuted by Assistant 
US Attorney Nadine Pellegrini of Stern's 
Major Crimes Unit. 

O The St. Paul Police Department 
in Minnesota arrested 28 people using 
cloned cellular phones to conduct illegal 
drug sales in a two-day sting operation. 

The dragnet culminated two months 



of police investigation together with 
AirTouch Cellular. 

LeAnn Talbot, vice president and area 
general manager for AirTouch Cellular 
in the Midwest region, said the sting cen- 
tred around a simulated cellular store in 
St. Paul. 

AirTouch provided signs, training, 
equipment and cellular airtime needed to 
run the storefront, she said, while under- 
cover officers sold cloned phones from 
the location, and in the process gathered 
evidence which led to the arrests. 

A new bill, the Wireless Telephone 
Protection Act passed by the US Senate, 
would amend the federal criminal code 
to crack down on those who try similar 
phone scams. 

While the legislation includes excep- 
tions for legitimate investigative use by 
law enforcement and the telecommuni- 
cations industry, it provides increased 
penalties for a second or recurrent of- 
fence for fraudulent activities involving 
counterfeit communications access de- 
vices. 

Return of the spam 

When mass commercial e-mailer 
Cyber Promotions was forced off the In- 
ternet last month, president Sanford 
Wallace vowed to return. 

Now it looks like the self-styled 
"spam king" is about to make good on 
his promise with the launch of his own 
network, dedicated to sending unsolic- 
ited commercial e-mail, known as spam. 

In a press release apparently from 
partner Walt Rines, via a Hotmail e-mail 
account, the two wrote, "Sanford 
Wallace, Walt Rines and an undisclosed 
third party have formed Global Technol- 
ogy Marketing, Inc. 

The new corporation will offer direct, 
high speed T-l and T3 Internet connec- 
tions to companies that engage in mass 
commercial e-mail. 

"Currently, there are no other back- 
bone providers that allow customers to 
send spam," continued the release. 

Wallace lost his Internet connection 
after a court case that saw his service pro- 
vider, AGIS, battle for the ability to dis- 
connect his company. AGIS, which had 
been happily supplying his Internet con- 
nection for some time, sought to discon- 



nect Cyber Promotions after attacks oi 
the spam network brought down ma 
chines at AGIS. 

After losing the court case, Wallace 
said: "The anti-spammers have not wor 
this war, they have just made it more dif- 
ficult for themselves as we will now senc 
mail from different sources." 

In the press release, Wallace said: 
"We are very excited about this new 
project. For the first time ever, Internel 
marketers will be encouraged to engage 
in direct advertising, a practice which is 
already accepted in the postal world." 

Walt Rines said: "Finally, bulk e- 
mailers will have an opportunity to le- 
gitimise this new industry. We are going 
to prove that this explosive new markel 
can be self-regulated." 

Attack on Thailand 
software piracy 

The Business Software Alliance is 
aiming to cut software piracy in Thailand 
by stepping up its campaign of education 
and legal action. 

According to BSA Spokesman Huey 
Tan, the software infringement rate in the 
Asian marketplace in 1996 was approxi- 
mately 80 per cent with Thailand sport- 
ing one of the highest rates, costing 
around US $137 million. 

The BSA hopes to reduce the soft- 
ware piracy rate to 60 percent within the 
next three to five years by working 
closely with the Department of Intellec- 
tual Property and universities to conduct 
seminars throughout the country. 

Recently the BSA, in co-operation 
with the Economic Crime Investigation 
Division and representatives of the DIP, 
raided the offices of Asian Marine Serv- 
ices Pel in Samutprakarn for copyright 
infringement and found up to 47 unli- 
censed copies of software. 

Baker and McKenzie Attorneys at 
Law representative Dhiraphol 
Suwanprateep said currently there are 
around 20 to 30 software infringement 
cases under court consideration, and that 
on December 1 , the Intellectual Property 
court would be officially established. 

Any case can be transferred from the 
existing court to the IP court, depending 
on both the victim and the accused. 
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Call for cybercop 
network in US 

New York Attorney General Dennis 
v /acco has called on police across the US 
o co-operate in the fight against online 
jaedophiles. 

He spoke out at a training seminar of 
law enforcement personnel from more 
than two dozen states in an effort to forge 
an alliance and share resources in the 
battle against child porn. 

Vacco, who recently was appointed 
chairman of the subcommittee on Inter- 
net Child Pornography of the National 
Association of Attorneys General, said 
he is "vigorously addressing" the flood 
of child pornography on the Internet by 
calling on law enforcement agencies from 
across the nation to join him against "this 
vile form of child exploitation." 

He said: "Innocent children are be- 
ing victimised and exploited in order to 
feed the appetite of these creeps who 
want to look at computer images of chil- 
dren being raped and abused. 

"I am not going to stand for it. We 
are going to continue to lock up the pur- 
veyors of child pornography and hold 
them accountable for their actions." 

Vacco is behind a dragnet to investi- 
gate and prosecute those who abuse the 
Internet by using it to download illegal 
material or lure children and teenagers 
mto illegal activity. 

During the seminar, Vacco urged the 
formation of a "new partnership of cyber 
oops ready and capable of tackling the 
growing menace of vile child pornogra- 
phy on the Internet." 

He added: "Chat rooms in cyberspace 
are literally packed with perverts who are 
all too willing to transmit illegal kiddie 
porn into your home and mine with just 
a click of the mouse. 

"To combat this victimisation of in- 
nocent children, we need to strengthen 
our efforts by joining forces from Maine 
to California. By building a new partner- 
ship of computer-savvy cyber cops, we 
can comer these cowards in their own and 
thus protect the families of America." 

Vacco said evidence gleaned from a 
number of child porn investigations, in- 
cluding one involving a Staten Island man 
arraigned on child molestation charges, 



has demonstrated a connection between 
child porn and the sexual abuse of inno- 
cent youngsters. 

He said: "Making child pornography 
so accessible to a paedophile is akin to 
throwing gasoline on a fire. It fuels the 
urge to hunt for victims and abuse them." 

Vacco noted his office has been work- 
ing with Internet service providers, in- 
cluding America Online, to generate in- 
formation about those computer users 
who have been transmitting illegal child 
porn over the Internet. 

"We have more cases in the pipeline, 
and we know we could do so much more 
with adequate resources," Vacco said. 
"That is why we need to assist one an- 
other and band together and share our 
most successful techniques and investi- 
gative methods. The price of inaction is 
unacceptable, because the victims are 
defenceless children." 

He said that the investigation is ex- 
pected to continue using new funding 
provided by the Legislature for creation 
of the Attorney General's Internet and 
Computer Unit. 

• The latest success of Operation 
Ripcord has been the arrest of a 32-year- 
old man from Richmond Springs, New 
York, who was charged with crimes stem- 
ming from the illicit Internet transmis- 
sion of child pornography. 

According to Vacco, the suspect 
Edward Domion was charged with pro- 
moting the obscene sexual performance 
of a child, a Class D Felony punishable 
by up to seven years in prison. 

Vacco said investigators found an as- 
sortment of images depicting young chil- 
dren being sexually exploited. 

So far the ongoing joint sting opera- 
tion has uncovered child porn traffickers 
throughout the US, and as far away as 
Germany, Switzerland, and the UK. 

And the sweeping New York-based 
probe, alternately dubbed Operation Rip 
Cord by Attorney General Vacco 's inves- 
tigators, and Tholian Web by the US 
Customs Service, has so far resulted in 
over 120 prosecution referrals, and at 
least 32 convictions across the US, with 
13 prosecutions in New York State. 

Investigators have amassed more than 
200,000 child porn images, and seized 
more than $137,000 in home computer 
equipment. 



Refunds for fraud 
victims 

The Federal Trade Commission in the 
US has promised that people who fell 
victim to a high-tech Internet scam will 
get their money back. 

Users who found they had run up huge 
phone bills on calls after their modems 
were automatically switched to expensive 
international numbers will get refunds 
totalling more than $2.74 million. 

About 38,000 Web surfers were lured 
into visiting Web sites and downloading 
special viewer software in order to ac- 
cess sexually explicit pictures. 

But the software automatically dis- 
connected users from their local Internet 
providers and then dialled and recon- 
nected using long-distance numbers as- 
signed to Moldova in the former USSR. 

The FTC said that because the mo- 
dems remained connected when the us- 
ers left the Web sites or left the Net en- 
tirely, many of them got phone bills to- 
talling hundreds or thousands of dollars. 

And investigations showed that the 
calls never actually connected to 
Moldova but terminated in Canada, yet 
consumers were billed for the Moldovan- 
priced call. 

Now the FTC has reached settlements 
with a number of firms and individuals 
charged by the agency with involvement 
in the scam. 

This will prohibit the defendants from 
similar behaviour in the future as well as 
stop them from distributing the viewer 
software, called "david.exe". 

Saudi censors Net 

Saudi Arabia is to get a sanitised ver- 
sion of the Internet to make sure its citi- 
zens do not have access to offending 
material. 

The country will introduce its own 
Net within six months, but the content 
will be strictly controlled in accordance 
with Islamic law. 

Head ofthe King Abdel-Aziz City for 
Science and Technology Dr Saleh al- 
Athel said that study had been completed 
on how to prevent "objectionable mate- 
rial that goes against the country's reli- 
gious and moral values". 
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Anti-fraud technology 

A UK firm has developed an alarm 
system designed to combat the growing 
problem of dial-through fraud on tel- 
ephone systems. 

Foundation Data Systems, based in 
Christchurch, Dorset, said its Tracker 
system combats dial-through fraud, also 
known as toll fraud, which occurs when 
a company's telephone system is used by 
outsiders to make free telephone calls at 
the company's expense. 

John Owen, a spokesperson for the 
company, said the activity has been 
prevalent in the US and Canada for some 
years and is fast becoming a major prob- 
lem in the rest of the world. According 
to FDS, its system can monitor an unlim- 
ited number of telephone switches, 24 
hours a day 365 days a year, and produce 
alarms back to monitoring stations. 

The company claims that each site can 
be individually configured to report any 
unusual telephone activity both during 
and outside of normal working hours. 

With the risk of losing thousands of 
pounds to hackers, the FDS says that no 
company can afford to be without the 
Tracker system. 

It claims that the current growth of 
fraud is being assisted by the popularity 
of voice mail systems, the provision of 
Direct Inward System Access numbers 
and the use of private automatic branch 
exchange maintenance modems. 

Hackers steal DISA numbers and 
make fraudulent calls. They also use so- 
phisticated software packages to call a 
company's system and try to establish on 
which numbers a modem exist. 

They will then try calling these mo- 
dems and try to hack into the system us- 
ing various methods. 

The firm says that companies that 
publish toll-free numbers are most at risk 
as calls to these are free to incoming call- 
ers. And it fears that the popularity of the 
Internet allows a hacker to easily send 
information to a large community, so 
others can then make fraudulent calls. 

The Tracker system is billed as moni- 
toring calls made online to check for 
hacking activity and can also produce 
reports offline which can be used to ana- 
lyse all telephone activity. 

In use, a Tracker box is fitted to the 



call logging port of every PABX tel- 
ephone switch to be monitored. It can 
store all call records output by the PABX 
for later analysis and can be used to 
search the incoming data against a 
number of user-defined criteria to look 
for unusual call patterns. 

This change in call pattern can be 
used to produce an alarm if a hacker is 
attempting to break into a PABX or if 
fraudulent calls are being made. Call pat- 
terns in and out of working hours can be 
customised on a site by site basis. 

The stored call records can be auto- 
matically collected by Foundation's 
Eclipse Call Management System each 
night. Management reports can be auto- 
matically produced and these can be ana- 
lysed to check for fraudulent traffic. 

Contact Foundation Data Systems on 
tel: +44 (0)1425 270333, fax +44 
(0)1425 270433; e-mail: 
sales @f dsl. demon, co.uk 

Computer to find 
abducted children 

A computer system has been devel- 
oped to help law enforcement agencies 
find missing children in the most critical 
first four hours after an abduction. 

The TRAK Media Station Package is 
a computer system capable of scanning, 
storing, copying, receiving and sending 
faxes. 

Bob Asquith founder of the TRAK 
system said: "We are a grassroots organi- 
zation and we want to get anyone and 
everyone involved to help bring these 
systems to local police stations. 

"From tragedies like the Polly Klass 
abduction and murder, law enforcement 
agencies have learned the first four hours 
after an abduction are critical. 

"After that time the likelihood of a 
positive recovery is drastically reduced. 
The TRAK system is built around a mas- 
sive response within the four-hour win- 
dow. 

"The real situation is that high-tech 
for most police departments is a fax ma- 
chine and copier. That is just not going 
to get the job done." 

Behind the system is the idea to move 
quickly in a four-hour window to get 
images and critical data not just to on- 



duty police officers and other law en 
forcement agencies, but to an entire com 
munity. 

Asquith, formed SocialTech Inc., i 
not-for-profit corporation in Burlingame 
California. "Law enforcement agencies 
in most cases do not have the money tc 
buy these systems. We have to give their 
away in order for TRAK to be in the righl 
hands," he said. 

By the end of 1997, he says approxi- 
mately 175 TRAK systems will be de- 
ployed. More than 17,600 installations 
are needed to create a nationwide "im- 
mediate response" network. 

More information is available at http:/ 
Avww.trak.org . 

Cyber investigation 
firm launch in US 

A UK firm which specialises in find- 
ing and analysing computer evidence has 
expanded to operate in the US. 

London-based Computer Forensic In- 
vestigations Ltd will help companies, 
lawyers and accountants to uncover hid- 
den data on a computer's hard drive 
which could be central in any prosecu- 
tion or civil action. 

Chief executive officer of the firm 
Tim Allen said: "In any investigation, and 
particularly those involving fraud, elec- 
tronic data found on computers can pro- 
vide the key to a successful prosecution. 

"However, to get access to the criti- 
cal information, which often lies hidden, 
the hard disks of the computers associ- 
ated with the fraud and the floppy disks 
used by the suspects have to be copied in 
such a way that any information recov- 
ered will be suitable as evidence in court. 

"The key to solving today's high-tech 
cases is to retain the evidential integrity 
of the data, otherwise subsequent analy- 
sis may be worthless." 

The firm uses the proprietry DIBS® 
disk imaging backup system, developed 
by UK company Computer Forensics, to 
retrieve and analyse the data. Its makers 
say it works even if the information has 
been disguised, encrypted or deleted and 
that it does not compromise or affect the 
orginal system hardware or software in 
any way. 

Computer Forensic Investigations 
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resident Peter Verreck said: "Already 
umerous criminals have been caught and 
millions of dollars have been recovered 
i hanks to this system. 

"A common reaction when criminals 
re tipped off that they are fraud suspects 
i s to tap away at the PC and try to delete 
whatever they can as quickly as possi- 
>le. Unfortunately for them, we can rec- 
reate deleted files quite easily." 1 

The firm can be contacted on +44 
0)171 353 3777 or by e-mail at 
nfo@computer-forensic- i nv.com 

Fighting Net hate 

Bell Atlantic has joined with the civil 
ights groups to launch a new World Wide 
vVeb site to combat the escalating prob- 
em of hate speech on the Internet. 

The firm has teamed up with the 
Leadership Conference on Civil Rights 
md the Leadership Conference Educa- 
tion Fund to set up a Web site offering 
advice and help. 

Bell Atlantic chairman and chief ex- 
ecutive officer Ray Smith said: "We saw 
an opportunity to join forces with the civil 
rights community to counter the fright- 
ening espousal of hatred and violence 
against Americans because of their race, 
gender, religion, or sexual orientation." 

LCCR Executive Director Wade 
Henderson said the idea to create an In- 
ternet site was also triggered by the pro- 
liferation of Internet hate speech by 
groups such as the Ku Klux Klan and the 
White Aryan Resistance. 

Such hate groups have become more 
sophisticated in recruiting, and the 
number of hate sites on the Internet has 
more than doubled to 250 in the last year. 

The LCCR/LCEF Web site will pro- 
vide up-to-date information on hate 
crimes around the country, community, 
legal and law enforcement strategies to 
address those crimes and materials for 
young people, parents, and teachers. 

program 

A new software toolkit has been 
launched by US firm Pretty Good Pri- 
vacy Inc which will allow non-computer 
experts to build security into applications. 

Launching PGPsdk, the firm said it 



was the strongest commercially available 
product and could be used without any 
expertise in cryptography. 

The system features 128 bit technol- 
ogy as well as encryption, decryption, 
digital signature and verification and is 
available for development on Windows 
95, NT, Macintosh, Sun Solaris Sparc 2.5 
and Linux platforms. 

PGP president Phil Dunkelberger said 
the system would boost confidence in 
trade on the Internet as well as help those 
who rely heavily on sensitive electronic 
communication. 

For more information, the firm's 
website is at http : //www. p gp . com 

Web based crime 
fighting tool 

A new service which lets law enforce- 
ment agencies share important informa- 
tion on the Internet has been launched in 

the US. 

The Bastille project, which will come 
online in February next year, features 
secure and encrypted databases accessi- 
ble only by the relevant groups who sub- 
scribe. 

Developers of the service, GTE Corp, 
say that with just a few mouse clicks of- 
ficers and detectives can search for in- 
formation including specific offenders, 
drug gangs, suspects, missing children, 
crime blackspots and sex offender release 
notifications. 

Dan Jensen, vice president of GTE 
Enterprise Solutions said: "Bastille will 
use the Internet to virtually unify our na- 
tion's law enforcement efforts in the war 
against drugs, and delivers a cyber- 
knockout punch to criminals and gangs." 

Dave Watkins, general manager of 
law enforcement services for the firm, 
said: "It gives law enforcement officers 
a secure forum to exchange information 
with individuals, specific groups or other 
agencies through information broadcasts, 
news groups, officer to officer e-mail and 
remote mobile access. 

"Since the content of Bastille will be 
produced by law enforcement agencies, 
the service will be of greatest benefit as 
more and more agencies subscribe to the 
service, broadening the base of case in- 
formation that is stored in the databases." 



Already about a dozen Texas law en- 
forcement agencies have begun using the 
system as part of a six-month trial. 

Membership of the scheme costs 
$ 1 99 per month, which includes the soft- 
ware installation and set-up, training and 
technical support, as well as a 28.8 kbps 
modem/smart card reader. Agencies who 
sign up for a three year period will re- 
ceive 200MMX PC system as well as a 
ten per cent monthly discount. 

For more information contact GTE on 
+ 1 813 273 6900 or send e-mail to 
info@admin.bastille.com 

Private eye on the Net 

An Internet site has been set up to help 
people find out the truth about others they 
meet online. 

The service, run by a Californian law- 
yer in the US, aims to help Net users 
check whether others are really who they 
claim to be. 

There have been numerous cases of 
people using the anonymity of 
cyberspace to lie about their names, ad- 
dresses, occupations, intentions and even 
their sex. 

The WhoIsShe.com and 
WhoIsHe.com Web sites, was set up by 
Linda Alexander, a San Diego attorney, 
who charges $75 for a basic inquiry. 

A detailed questionnaire is at each site 
to provide as much information as possi- 
ble about the subject to be targeted. 

Alexander said: "Everything I find 
out is public information. Finding out 
what people want to know is all from 
public records, but it takes time and you 
do have to know where to look. 

"Just call me the Sherlock Holmes of 
the Internet. I feel this is an important 
service, something that should be done 
sooner not later." 

Citing examples ofher investigations, 
she said: "One woman met a man on the 
Internet who told her his wife was killed 
in a car accident. She turned out to be 
still alive. And another claimed to be a 
doctor, but wasn't." 

She added: "Lies are lies whether they 
are online or on paper." 
To access the service go to http:// 
www.WhoIsShe.com and http:// 
www.WhoIsHe.com . 



International Journal of Forensic Computing 



November 1997 



Threat of hackers 



Scare stories about hackers who break into government and 
military computers have been a favourite Hollywood 
theme. But the findings of a US investigation has reavealed 
that the threat is very real. Paul Johnson reports. 



The United States is vulnerable to 
computer based attacks and authorities 
have to increase security measures, ac- 
cording to a top level report. 

A presidential commission says that 
the major computer networks and sys- 
tems are vulnerable to terrorists and hack- 
ers who could wreak havoc with the gov- 
ernment and the economy. 

The Commission on Critical Infra- 
structure Protection has delivered a clas- 
sified report to the White House which 
says the US 's dependence on computers 
for its security, business and way of life 
make the country increasingly vulnerable 
to computer attacks that could easily wipe 
out communications and electricity grids. 

The report said: "National defense is 
not just about government anymore, and 
economic security is not just about busi- 
ness anymore. 

"Today, the right command sent over 
the Internet to a power generating sta- 
tion's control computer could be just as 
effective as a backpack full of explosives 
and the perpetrator would be harder to 
identify and apprehend. 

"Infrastructure assurance must be a 
high priority for the nation in the Infor- 
mation Age. With escalating dependence 
on information and telecommunications, 
our infrastructures no longer enjoy the 
protection of oceans and military forces. 
They are vulnerable in new ways. We 
must protect them in new ways." 

And the report said as more people 
became computer literate in society, the 
numbers capable of planning and execut- 
ing a cyber attack grew as well. 

It said: "The wide adoption of public 
protocols for system interconnection and 
the availability of hacker tool libaries 
make their task easier. 

"While the resources needed to con- 
duct a physical attack have not changed 
much recently, the resources necessary 
to conduct a cyber attack are now com- 
monplace. 

"A personal computer and a simple 
telephone connection to an Internet serv- 
ice provider anywhere in the world are 



enough to cause a great deal of harm." 

The commission recommended set- 
ting up a programme across the country 
to educate people from all walks of life 
about the potential threat and what meas- 
ures can be taken to counteract it. 

It also said that the existing laws 
should be changed to cope with hackers 
using the Net. 

"Law has failed to keep pace with 
technology. Some laws capable of pro- 
moting assurance are not as clear or ef- 
fective as they could be," the report said. 

It added that because altering the leg- 
islation would be a "lengthy and massive 
undertaking," measures would have to be 
taken to jump start the process. 

"We identified existing laws that 
could help the government take the lead 
and serve as a model of standards and 
practices for the private sector. We iden- 
tified other areas of law that can enable 
infrastructure owners and operators to 
take precautions proportionate to the 
threat." 



The commission recommended dou 
bling the $250 million the federal gov 
ernment now spends on research into 
beating hackers and it is reported that this 
$500 million will be increased by $100 
million each year until $ 1 billion is dedi 
cated to it by the year 2004. 

It is thought much of the money would 
go to universities and private firms to 
fund research into ever more sophisti- 
cated intrusion detection devices. 

White House spokesman PJ Crowley 
said that a task force composed of repre- 
sentatives from several government agen- 
cies will review the commission's report 
and come up with their own findings. 

And an advisory committee headed 
by former senator Sam Nunn and former 
Deputy Attorney General Jamie Gorelick 
will work with the private sector on ways 
to stop criminals using computers in 
cyber attacks. 

At a recent conference on computer 
security, commission chairman Robert 
Marsh said misuse of the Internet posed 
a real threat. He said: "While a cata- 
strophic cyber attack has not occurred, 
we have enough isolated incidents to 
know that the potential for disaster is real 
and the time to act is now." 



US Defence computers under attack 



Hackers broke into more than 250 
US Defence Department computers 
last year and the number is predicted 
to double this yean 

The startling figures were re- 
vealed by a senior US intelligence 
official and will add weight to the call 
for public authorities to take a 
tougher stance on security and com- 
puter crime investigation. 

Air Force Lt Gen Kenneth 
Minihan, director of the National 
Security Agency, told the Association 
of Former Intelligence Officers' an- 
nual convention that people should 
be afraid of computer misuse. 

He said: "We have evidence that 
our known network and computer 
communications vulnerabilities are 
being exploited by attackers." 

The NSA is regarded as a "secret" 
government body which monitors 



global communications. 

Minihan did not identify the cul- 
prit or culprits or say what informa- 
tion had been stolen or what dam- 
age to systems had been done. 

In his remarks to the convention, 
he said mounting reliance on com- 
puters had heightened vulnerability 
to "adversarial nation-states" as well 
as guerilla groups, narcotics traffick- 
ers and organised crime syndicates. 

He said that the 1.3 million local 
area networks in the US are being 
threatened by both network sniffer 
programs which monitor online 
communications, and by attack pro- 
grams which could disable systems. 

And he claims that the US "will 
eventually pay for" building its in- 
formation infrastructure "on a poor 
foundation" unless it increases com- 
puter system protection. 
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Court reports 



Hacker case dropped 

Charges in the UK against an alleged 
computer hacker who was said to have 
nearly started a war between North and 
South Korea after gaining access to US 
military computers have been dropped. 

At an appearance at court in London, 
prosecuting solicitor Andrew Mitchell 
;aid that it was not in the public interest 
for the case against Matthew Bevan, aged 
23, to now continue. 

Be van's alleged colleague, Richard 
Pryce, now aged 19, of Colindale in Lon- 
don, has already been fined £1,200 by 
Bow Street Magistrates Court, over the 
unauthorised accesses, which prosecutors 
said occurred in 1994. 

While Pryce elected to be tried at the 
Magistrates Court, Bevan opted for trial 
by jury in the higher Crown Court, where 
his charges were dropped. 

At Bevan 's preliminary hearing, he 
was alleged to have gained unauthorised 
access into US military computers and 
into the computer systems of the North 
Korean defence systems. 

This led the Koreans to assume that 
it was the US military that had gained 
access to its computer systems, as part 
of the preparations for a war against 
North Korea and the online incidents 
sparked a serious diplomatic incident. 

After Bevan 's case was transferred to 
the Crown Court, Judge Geoffrey Rivlin 
was told that the proposed trial would last 
several months and almost certainly re- 
sult in classified information being re- 
vealed in a public courtroom. 

Coupled with the need for several 
thousands of pages of documentation and 
at least 10 witnesses to fly in from the 
US, the prosecution was asked to "con- 
sider its position." 

According to Peter Sommer, a senior 
research fellow at the Computer Security 
Research Center at the London School 
of Economics, who acted as defence ex- 
pert to both Pryce and Bevan, the case 
failed because the UK prosecution au- 
thorities recognized that going to full trial 
would be both very expensive and have 
a high chance of failure. 

He said: "The expense would come 
from the length of trial and the numbers 
ofUSAF personnel and others who have 



had to be flown into London. He added 
that he believed that a lot of the US evi- 
dence would have collapsed on detailed 
scrutiny. 

He said: "The US cyber sleuth teams 
simply did not understand the difference 
between conducting a technical investi- 
gation and producing robust admissible 
evidence. Perhaps that's because they 
were service personnel and not police. 

"The US authorities were refusing 
access to the source code of some of the 
Internet monitoring software they were 
using, essential if its reliability is to be 
fairly assessed, and the work of teams 
was being artificially summarised with- 
out any opportunity to test the original. 

"Worst of all, having set traps to catch 
hackers, they neglected to produce "be- 
fore" and "after" file dumps of the target 
computers. 

"In a way I'm disappointed that there 
was so little opportunity to test the tech- 
nical evidence as the two cases were 
something of a test-bed for new tech- 
niques in computer forensics." 

US man gets jailed 
for online porn 

A man has been sentenced to one year 
and three months imprisonment on a fed- 
eral child pornography charge. 

Robert Lightfoot Jr, 37, from 
Plainville, Massachusetts, was jailed by 
US District Judge Edward Harrington on 
a charge of having received child porno- 
graphic images contained in computer 
files on or about February 12, 1996, US 
Attorney Donald Stern said. 

In addition to the prison term, Judge 
Harrington also ordered forfeiture of two 
computer systems which Lightfoot used 
in the course of the offence. 

And he ordered Lightfoot to partici- 
pate in psychological treatment, and to 
have no unsupervised contact with mi- 
nors during the three-year period follow- 
ing release from prison. 

At an earlier hearing, a federal pros- 
ecutor told the Court that Lightfoot traded 
child pornography via newsgroups of- 
fered by several online services, includ- 
ing Prodigy and America Online, as well 
as directly with individuals first contacted 
through such groups. 



The three images, which are the sub- 
ject of the indictment, depict prepubes- 
cent children engaged in explicit sex. 

"Computer transmission of child por- 
nography, particularly via online services 
and the Internet, has revitalized a very 
troubling means of victimizing children, 
both those who are depicted in the por- 
nography and those who are preyed upon 
using such images to break down inhibi- 
tions," Stern said. 

"The ease with which this crime is 
committed is no defence," he said. "The 
federal sentencing guidelines treat child 
pornography in general very seriously, 
and computer transmission more so." 

The investigation against Lightfoot 
was conducted by the US Customs Serv- 
ice and was prosecuted by Assistant US 
Attorney Jeanne M. Kempthorne, deputy 
chief of Stern's Economic Crimes Unit. 

• Earlier this month, another Mas- 
sachusetts man, Ronald Langevin, was 
sentenced to two years and nine months 
in prison by US District Judge George 
O'Toole after Langevin pleaded guilty to 
a charge he had unlawfully possessed 
child pornography. 

Langevin also used America Online 
to obtain and transmit the pornographic 
images he was charged with possessing. 
Along with the prison term, Judge 
O'Toole also ordered that Langevin 's 
computer equipment be forfeited to the 
government. 

The case, investigated by the US Cus- 
toms Service and prosecuted by Assist- 
ant US Attorneys Timothy Feeley of 
Stern's Major Crimes Unit, and Shelbey 
Wright of Stern's Asset Forfeiture Unit, 
was part of Operation Rip Cord, an 18 
month, joint sting operation first 
launched by New York State Attorney 
General Dennis Vacco (see news on page 
seven). 

© A New York man also pleaded 
guilty to charges that he transmitted child 
porn images over the Internet. 

Martin Dano, 35, of West Bloomfield, 
New York, pleaded guilty before Ontario 
County Court Judge James Harvey in 
Canandaugua, New York, to a single 
count of "Possession of a Sexual Per- 
formance by a Child," a class "E" felony 
punishable by up to four years in prison. 
Sentencing will be on December 17. 
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gards to computer crime and hacking 

Abstract 
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Computer crime and hacking has re- 
sulted in a number of new laws in order 
to cope with this phenomenon. However, 
the number of reported incidents, and 
successful prosecutions are still very low, 
perhaps due to a lack of understanding 
of the law, the legal liabilities, the meth- 
ods of investigation and the preservation 
of evidence in this regard. 

It is believed that better education and 
awareness will result in better prepared 
networked organisation, followed by 
more legal proceedings in the future, but 
the current priority is to promote aware- 
ness of legal obligations of both organi- 
sations and individuals prone to casual 
hacking. 

This is to prevent the sacrifice of non- 
malicious hackers in order to set an ex- 
ample to the rest of society in the trans- 
formation towards a networked society. 

lo Introduction 

The importance of computer security 
and integrity needs no further elabora- 
tion, organisations that have fallen vic- 
tims to computer crime found out about 
these threats the hard way. They include 
financial loss (including loss of revenue 
and recovery costs), loss of consumer 
confidence, loss of data integrity, and 
incurring damages to a third party. 

Many of the victims of computer 
crime have chosen not to report them, sig- 
nificantly limiting the amount of infor- 
mation available [1]. However, the rapid 
growth of wide area networks especially 
the Internet, makes the potential for com- 
puter crime, especially computer hack- 
ing, even more disquieting. 

The high profile of computer hack- 
ing in the 1980s seems to have abated 
after new laws were introduced in both 
the UK (Computer Misuse Act 1 990), US 
(Computer Fraud and Abuse Act 1986) 
and in other countries. 

Several high profile crackdowns fo- 
cused the public's attention on hacking 
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(Sterling, 1993) (Hafner, 1992), and 
other forms of computer crimes 
(Essinger, 1990). What is the current sta- 
tus of computer hackers (Newsweek, 
1 995)? What is it that makes hacking sto- 
ries both inspirational and disgusting at 
the same time (Sterling, 1 993)? Are hack- 
ers now happily constrained by their own 
set of self-imposed ethical standards of 
behaviour [2]? Has the new laws and law 
enforcement persuaded them on the 
proper path[3]? Or have they found 
working for the authorities more reward- 
ing (Roush, 1995)? 

A wide range of social and legal is- 
sues have to be considered in order to 
answer these questions concerning the 
future of the networked society. Compu- 
ter hacking is an interesting social phe- 
nomenon, characterised by a fundamen- 
tal urge of individuals to gain control in 
the information age (Jennings, 1992). 

The wide publicity of computer hack- 
ing gives the general public an impres- 
sion that computer security is defence- 
less against the mystifying cult of hack- 
ers. Even with the increasing realisation 
that the network behaviour of individu- 
als are also susceptible to social norms 
and legal liabilities, the general feeling 



is that new legal and ethical systems are 
not yet in place, and the Robin Hoods of 
the 'electronic frontier' are to be toler- 
ated (Barlow, 1993). 

The legal dimension by itself is in- 
sufficient, law itself needs reform in or- 
der to fit changing social situations 
(Katsh, 1989). The specific and revolu- 
tionary features of information technol- 
ogy and the social phenomena of network 
society has to be considered (OECD, 
1986) (EPF, 1995). 

Much has been written about the se- 
curity aspects of computer crime and 
hacking (Pfleeger, 1989) (Fites & Kratz, 
1993), and numerous textbooks cover the 
criminal offences inflicted by hacking 
(Lloyd, 1993) (Bainbridge, 1993). 

Most academic, commercial, and leg- 
islative resources have been devoted to 
protecting the supposedly benign, and 
naive organisations that are victims of 
computer hacking. 

This article will focus on the legal li- 
abilities of networked organisations that 
have reasons to believe they are suscep- 
tible to computer crimes, especially those 
initiated by unauthorised access and 
hacking. 

Rather than addressing computer 
hackers as the mysterious 'computing un- 
derworld' (Sterling, 1993) (Hafner, 
1992), and placing all the social burden 
on 'deviant' hackers, organisations 
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should, review existing security policies 
and procedures, and possibly re-defme 
them if they are to receive the full sup- 
port of the law. 

2* Legislation and law 
relevant to computer crime 

Statutes in both the UK (The Com- 
panies Act 1985, The Financial Services 
Act 1986, The Banking Act 1987, The 
Building Societies Act 1986) and the US 
(The Foreign Corrupt Practices Act 
1977) [4] dictate the legal obligations of 
management to enforce appropriate lev- 
els of computer security. 

Other statutes have been introduced 
in the UK (Computer Misuse Act 1990, 
UK Data Protection Act 1984) and in the 
US (The Computer Fraud and Abuse Act 
1986, The Electronic Communications 
Privacy Act 1986, The Computer Secu- 
rity Act 1987, The Credit Card Fraud Act 
1984, and various state legislation) to 
prosecute individuals for computer mis- 
use. Laws relating to admissibility of 
computer generated evidence also had to 
be re-interpreted in the new electronic 
media (UK Police and Criminal Evidence 
Act 1984, UK Criminal Justice Act 
1994). 

A quote from an OECD Information 
Computer Communications Policy report 
best describes the new economic value 
of information and legal attempts to con- 
trol this phenomenon: 

"One of the factors inherent in infor- 
mation and telecommunications tech- 
nologies is that their misuse can leave no 
trace; but law is traditionally based on 
texts and material evidence of acts which, 
for computer-related crime, are often 
unavailable. 

"This makes it difficult to assess the 
scale of and to detect and prosecute com- 
puter-related crime. The amendments of 
laws on the admissibility of evidence to 
take the supporting technology into ac- 
count, could assist in prosecuting. 

"These difficulties may influence 
Member countries in deciding which pro- 
cedure to choose for initiating proceed- 
ings: to act only in the lodging of a com- 
plaint or to prosecute automatically. The 
victim may be no clearer than the of- 
fender of his rights and obligations and 



may not be prepared to divulge informa- 
tion if the consequence could be to 
threaten a market position or commer- 
cial credibility. 

" Many victims feel that they have not 
taken all the necessary measures to pro- 
tect their new computer-based asset, on 
cost-benefit grounds. This is borne out 
by the lack of success of computer-re- 
lated crime insurance." (OECD, 1986) 

Management in networked organisa- 
tions are legally responsible for an 'ad- 
equate' level of security for their infor- 
mation systems. It often turns out that the 
'victims' of computer hacking (net- 
worked organisations) are also at fault 
since they have not provided 'adequate' 
security measures required by the law. 

Instances of computer crime under- 
mines management's credibility to up- 
hold it's stewardship responsibilities. 
This is complemented by the fear of a 
public relations fallout, resulting in lack 
of consumer confidence (Gelinas, Oram, 
& Wiggins, 1990). Quoting David Stang, 
president of Norman Data Defense Sys- 
tems: "You feel dirty after a hacker at- 
tack or a computer virus infection, like 
you've done something wrong, you don't 
want to tell anybody, which winds up af- 
fecting the reporting of incidents." 
(Roush, 1995) 

If and when incidents do get reported, 
not all investigative agencies are ad- 



equately trained to "prevent further dam- 
age, limit the losses incurred, find out 
what went wrong, identify the perpetra- 
tor, and preserve the evidence for a suc- 
cessful legal prosecution" (Smith, 1993). 

Furthermore, investigation of compu- 
ter crime will "inevitably be pitted against 
time and operational pressures, making 
the proper handling of the investigation 
and preservation of evidence even more 
difficult" (Smith, 1993). 

For networked organisations to be 
fully protected by the law, management 
and security staff should be aware oftheir 
legal liabilities under both criminal law 
and civil law. This issue will be discussed 
further in the next section. 

3o Legal Liabilities of 
Networked Organisations 

Criminal liabilities are concerned 
with the legal obligations of citizens to 
the state. Management in a networked 
organisation is liable for assuring the se- 
curity of the company's financial ac- 
counts, and any personal information 
held on computer systems. 

The nature of criminal cases means 
that a great deal of time is spent on de- 
ciding whether evidence is admissible or 
not (Smith, 1993), and even then, suc- 
cessful prosecution does not usually re- 
sult in compensation to the party that suf- 
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fers damages. 

However, they are conducted under 
public expense, providing useful evi- 
dence to support a claim for civil wrong 
doing (Chalton, 1990). 

3.1 Accuracy and Integrity of Compu- 
terised Company Records 

Companies are required under section 
722 of the Companies Act 1985 to take 
adequate precautions against the falsifi- 
cation of accounting records, including 
those of a computerised nature. If ac- 
counting records are computerised, then 
appropriate physical (e.g. access con- 
trols), technical (e.g. audit trails) and 
administrative controls (e.g. separation 
of duties) should be in place. 

Failure to keep proper accounting 
records under section 722 could consti- 
tute a breach of section 22 1 , which would 
be an offence under section 223 unless 
management act honestly and the default 
is excusable under the circumstances of 
the business (Kelman, 1995). 

The Financial Services Act 1986 also 
has provisions regulating the use of com- 
puterised accounting information sys- 
tems. Requirements include "an organ- 
ised systems development methodology, 
an up-to-date documentation of systems, 
effective change control procedures and 
adequate testing of system changes, ef- 
fective access control software, and ad- 
equate up-to-date and well tested disas- 
ter recovery plans". Self-regulatory or- 
ganisations are also set up under the act 
to monitor compliance (Smith, 1993). 

The Bank of England and the Build- 
ing Societies Commission have issued 
notes to banks (Guidance Note on 
AORICS, Accounting and Other Records 
and Internal Control System) and build- 
ing societies (Prudential Note) providing 
guidelines on "system development risks, 
data entry errors, program modification 
errors, fraud, access to confidential in- 
formation, internal controls, internal au- 
dits, and disaster recovery (or business 
interruptions)" (Essinger, 1990) (Smith, 
1993). 

The US Securities and Exchange 
Commission and the American Institute 
of Certified Public Accountants also is- 
sued similar security guidelines (see 
AICPA Statement on Auditing Standards 
No. 55) (Gelinas, et al., 1990). 



Companies have another reason to 
place high priority on the integrity of their 
computer-based information systems. 
Under the Insolvency Act 1986, compa- 
nies applying for an 'administrative or- 
der' in times of financial crisis to pre- 
vent creditors from dissolving the com- 
pany will have to show the courts finan- 
cial projections. 

The government and court does not 
like bailing out 'failures', thus the secu- 
rity and integrity of all company records 
including the computer-based informa- 
tion systems should be well guarded and 
well maintained as an added precaution 
for business continuity (Kelman, 1995). 




3.2 Protection of Personal Data 

The principle that personal informa- 
tion on computers must be adequately 
secured under the Data Protection Act 
1984 implies increased liabilities for or- 
ganisations. The Act maintains that or- 
ganisations holding personal data on liv- 
ing individuals in a form that can be au- 
tomatically processed, unless exempt, 
must register itself as a data user to the 
Data Protection Registrar. 

Failure to register carries a maximum 
fine of £5,000 in a Magistrates Court or 
an unlimited fine in a Crown Court. Reg- 
istered data users must not contravene the 
eight Data Protection Principles. Failure 
to comply with the principles may result 
in a preliminary notice, followed by an 
enforcement notice (a time frame for a 
data user to comply with a breach in Data 
Protection Principles), a de-registration 



notice (a notice that a data user is no 
longer able to hold personal data with- 
out committing a criminal offence), or a 
transfer prohibition notice (a notice 
which prohibits the transfer of personal 
information to countries outside the UK). 

Failure to comply with the notices is 
a criminal offence under section 5 of the 
Act. The organisation, it's directors and 
managers may all be liable. The organi- 
sation and the managers are liable under 
section 5 if they committed the offence 
knowingly. The directors are liable un- 
der section 20 if they had consented to 
the offence. Other senior officers may be 
liable due to neglect of ensuring adequate 
security (Bainbridge, 1993). 

Data subjects can also claim damages 
against the loss or unauthorised disclo- 
sure of personal information under sec- 
tion 23 of the Act. Therefore, the net- 
worked organisation should take proper 
measures against unauthorised access and 
modification of personal data, as well as 
providing frequent audits and backups. 

Due to reasons of personal privacy, 
national sovereignty and economic sov- 
ereignty, various nations have legal or 
administrative restrictions on 
Transborder Data Flow (TDF). The le- 
gal threats to networked organisations 
may come either from national data pro- 
tection laws, or restrictions on export of 
data to countries without such regulation. 

Organisations might resolve this dif- 
ficulty either through a contractual clause 
with the trading partner, or by re-organ- 
ising it's data processing activities 
(Walden & Savage, 1990). 

3.3 Authorisation for Access and 
Modification of Data 

The Computer Misuse Act 1 990 does 
not impose statutory duties on networked 
organisations, but it does require employ- 
ees and other users of computer-based 
information systems to understand fully 
the limits of their authority. All instances 
of misuse also have to be detected and 
properly logged at an early stage (Smith, 
1993). 

3.4 Admissibility of Computer-gener- 
ated Evidence 

Before the Police and Criminal Evi- 
dence Act 1984, the admissibility of com- 
puter generated evidence depended on 1) 
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whether the evidence was generated 
wholly by computer or with human in- 
volvement, 2) whether experts can tes- 
tify on the reliability of the computer sys- 
tem, 3) whether it is the 'best evidence'. 

Section 69 of the Police and Crimi- 
nal Evidence Act 1984 now accepts com- 
puter-generated to be admissible unless 
there has been some human intervention 
in the computer process. Under such cir- 
cumstances, a certificate will be required 
by the system manager stating that there 
are no reasonable grounds for believing 
the computer was used improperly, and 
the computer was operating reliably at 
all times, or if not, that the impairment 
could not have affected the accuracy of 
the evidence (Kelman, 1995) (Smith, 
1993). 

3.5 Civil Liabilities of Networked Or- 
ganisations 

Civil liabilities are concerned with the 
contractual rights and obligations of or- 
ganisations (liabilities under contract) 
and liability to strangers, for example, 
negligence and breach of statutory duty 
(liabilities in tort). 

They are governed mostly by com- 
mon law, and may be incurred when man- 
agement have not taken special precau- 
tions. Management should be aware that 
other than the criminal liabilities they 
may incur from computer crimes, or dam- 
ages from computer crimes, the business 
can suffer seriously if the incident had 
affected other parties on the other side 
of contracts. 

The injured parties can either affirm 
the contract, bring the contract to an end, 
or claim damages. Organisations may 
also be subject to claims for negligence 
if it can be proved that the organisation 
owed the defendant a duty to take care, 
and that it had breached that duty. 

With the pervasiveness of computers 
in modern organisations, intrusions like 
hacking and viruses will very likely im- 
pair the operation of the organisation, 
resulting in civil liabilities. Adequate se- 
curity should not be taken for granted, 
especially when life-critical systems are 
involved. 

The admissibility of Computer Evi- 
dence under civil law is governed by the 
Civil Evidence Act 1968, which does not 
cover ad hoc reports or printouts of the 



system log unless they are regularly gen- 
erated (Smith, 1993). 

Organisations might consider leaving 
a regular trail of physical printouts as a 
consequence, in order to counter claims 
for civil liabilities. 

3.6 Legal Liabilities of Computer Bu- 
reaux, EDI Service Providers, Net- 
work Service Providers and Bulletin 
Board Operators 

A set of different issues and laws 
cover computer and telecommunication 
service providers, however, they are out- 
side the scope of this article. The issues 
will be covered quickly in this section. 

Computer bureaux and Electronic 
Data Interchange (EDI) service provid- 
ers may have contracts specifying access 
and availability of their resources. For 
example, companies that have outsourced 
their information systems facilities, or 
multi-national corporations running elec- 
tronic funds transfer systems, may find 
24 hour uptime to be essential. 

The Computer Misuse Act 1990 does 
not impose statutory duties on networked 
organisations, but it does require employ- 
ees and other users of computer-based 
information systems to understand fully 
the limits of their authority. All instances 
of misuse also have to be detected and 
properly logged at an early stage (Smith, 
1993). 



3.4 Admissibility of computer-gener- 
ated evidence 

International laws and regulations re- 
lated to EDI have separate security re- 
quirements which organisations will be 
liable to once they sign the contracts [5] 
(Carr & Williams, 1994). 

Service providers and bulletin board 
operators may also need to protect them- 
selves against infringement of copyright 
(when pirate software is stored on their 
system, or distributed through their net- 
work by a third party), or the potential 
liability for defamation and libel (when 
controversial remarks are stored on their 
system, or distributed through their net- 
work). 

The following advice is based on the 
possible threat of computer crime and 
hacking and the legal liabilities: 

1) specify explicitly the levels of au- 
thorisation for each task and job role, 

2) keep system logs in order to estab- 
lish the computer system's reliability, 

3) re-examine internal controls in or- 
der to reduce human errors to a minimum, 

4) implement separate access controls 
especially for sensitive personal data, 

5) keep audits trails to prove the ac- 
curacy and integrity of computer-based 
information, it may also be the crucial 
evidence that is needed to link an of- 
fender to an otherwise unrecorded access, 
duplication or modification transaction, 

6) consider keeping a regular trail of 
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paper printouts for physical backup and 
evidence in civil courts, 

7) balance operational needs and the 
preservation of evidence in the disaster 
recovery and contingency plans. 

5. The Role of Education 
and Awareness in the Deter- 
rence of Computer Hacking 

Organisations that have prepared 
themselves for the computer crime and 
hacking need not be trigger happy. Com- 
puter hacking should not to be forgiven, 
but there are reasons to believe that the 
motive behind many hacking cases docu- 
mented in the past few years have not 
been malicious. 

It is better to promote awareness of 
socially acceptable behaviour and to edu- 
cate others on the legal reforms that have 
taken place in this age of transformation. 
An unmistakable method would be to 
post a notice of liability on login screens 
instead of 'Welcome to Super Compu- 
ter' messages. 

Even though sound security princi- 
ples are against such publicity, i.e. ad- 



vertising highly sensitive systems as such 
by issuing a warning notice prior to login, 
but casual hackers should be aware that 
mere login attempts on systems located 
in the UK constitutes a basic offence un- 
der the Computer Misuse Act 1990. The 
Act also applies "whenever an alleged 
offence is conducted from or directed 
against the UK". 

Information on legal liabilities in vari- 
ous countries should be made widely 
available. Service providers and informa- 
tion providers should make the legal li- 
abilities that apply in that country avail- 
able, and if extradition applies for that 
offence (currently applies only to indict- 
able offences under sections 2 and 3 of 
the Computer Misuse Act 1990), the le- 
gal liabilities that apply in other coun- 
tries should also be widely available (see 
Bainbridge 1993 pp. 172-173, Lloyd 
1993 pp. 188-190). 

Before such legal information is har- 
monised, which seems highly unlikely, 
the distribution of such legal information 
should be wide-spread and well publi- 
cised, otherwise computer hacking will 
always be regarded by techies as casual 
adventuring. 



The international aspects of compu- 
ter networking makes decisions on juris- 
diction difficult. In spite of attempts to 
harmonise computer-related crime and 
penal law in the Organisation for Eco- 
nomic Co-operation and Development 
member countries (OECD, 1986) and the 
European Community, current differ- 
ences in law undermines fair sentencing. 

For example, a defamatory remark 
made on the US network is distributed 
around the world to the UK, the plaintiff 
in this case can select the country of his 
choice to sue. English laws make it easier 
for the plaintiff to recover damages, while 
US laws requires the plaintiff to prove 
the defendant guilty (Conaill, 1995). 
Other issues of fairness and justice are 
bound to jump out as we progress towards 
the future networked society [6]. 

6. Conclusion 

Organisations today can no longer 
afford to remain isolated from the net- 
work society. Firewalls and other techni- 
cal controls are only as good as the per- 
sonnel who set up and monitor them. The 
networked organisation with all its fright- 
ening consequences are increasingly be- 
coming a reality. 

In answer to the question raised in the 
introduction about the current status of 
the hacker culture, has hacking lost it's 
significance? Do organisations still need 
to protect against computer hacking? 
Definitely yes, evidence shows that hack- 
ing in the future will become even more 
serious, sophisticated, and malicious [7] 
(Roush, 1995). 

Before 1986, many nations did not 
have laws for deterring computer hack- 
ing (OECD, 1986), but the combination 
of new laws, law enforcement experi- 
ence, and a series of high profile pros- 
ecutions had an immediate impact on the 
US hacking community, and through 
worldwide publicity, many other parts of 
the world. Law reforms, in the UK at 
least, have made the legislative position 
on computer crimes and hacking quite 
clear. 

Explanations of why organisations 
that have become 'victims' to computer 
crime and hacking have not resorted to 
the law was highlighted in section 2 of 
this article. Laws relevant to the provi- 
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sion of adequate security, and other le- 
gal liabilities that organisations may in- 
cur in their adoption of computer and 
networking technology was discussed in 
section 3. 

It is hoped that organisations can use 
this knowledge as a starting point for re- 
examining their information systems se- 
curity in order to receive the full protec- 
tion of the law, an example of this was 
listed in section 4. 

And finally, in section 5, the need for 
education and awareness of the new laws 
relating to networked computing was dis- 
cussed. Law enforcement, organisations, 
and individuals need more exposure to 
these laws before comprehending fully 
their legal obligations and liabilities. In 
the future, as the legal liabilities of all 
parties are better understood, more pros- 
ecutions and more arbitration based on 
the law will follow. 

It has been said that prevention is 
better than cure, but awareness of the law 
is even better than prevention. Awareness 
of legal liabilities of all parties involved 
provides a useful guideline for self-regu- 
lation, resembling a national information 
security policy. 

The network society still faces many 
more challenges on what constitutes ac- 
ceptable behaviour on the network. So- 
ciety should not hesitate in reforming 
existing laws and legislating new ones to 
protect and to bring about justice. But 
ultimately, it will depend on every mem- 
ber of society to follow the law, by ful- 
filling their obligations with an under- 
standing of their legal liabilities. 

Appendix A : Further reading on the 
legal liabilities of computer hacking 

Computer Misuse Act 1990, Data Pro- 
tection Act 1984, Telecommunications 
Act 1984, Copyrights, Patents, and De- 
sign Act 1994 

Appendix B: Further reading on com- 
puter crime law in other countries 

OECD, (1986). Computer-related 
crime: analysis of legal policy. (ICCP No. 
10) pp. .7-71 

Smith, M. (1993). Commonsense 
Computer Security (2nd ed.). McGraw- 
Hill, pp. 268-274 



Footnotes 

[1] Donn Parker (US) estimates that 
only 20% - 25% of all computer crimes 
are reported. 

[2] Those interested in so called hack- 
ers ethics can read "Secrets of a Super 
Hacker", or 'The Hacker Handbook III". 

[3] Those interested in the hacker-law 
enforcement-civil libertarian relationship 
should read Sterling's book "The Hacker 
Crackdown", connect to the Electronic 
Frontier Foundation's WWW server at 
www.eff.org. 

[4] The international nature of com- 
puter crime and hacking creates problems 
for jurisdiction, hence law in different 
countries may have to be considered. Due 
to space restrictions, only the relevant 
UK and US statutes will be listed in this 
section, but the rest of this article will 
focus on the relevant UK laws only. Eu- 
ropean readers would also be interested 
in checking the relevant European Com- 
munity Law. Please refer to Appendix B 
for references to related legislation in 
other countries. 

[5] Those interested in Electronic 
Data Interchange (EDI) might like to look 
at the technical security in UN/EDIFACT 
User Manual, and the contractual ar- 
rangements under UK EDI Association 
' Standard Interchange Agreement' (SLA) 
and US American Bar Association Trad- 
ing Partner Agreement' (TPA). 

[6] Computing professionals may not 
be responsible for shaping these issues 
into law, but they are responsible for com- 
municating these issues to other members 
of society. When in doubt, socially re- 
sponsible computing professionals 
should try to balance the four ethical is- 
sues in the computing profession, accu- 
racy of information, personal privacy, 
access to information, and intellectual 
property rights. 

[7] The future hackers will probably 
not be naive and persistent teenagers 
since much of the thrill of accessing un- 
disclosed information has been damp- 
ened by the widespread availability of on- 
line information today. However, the net- 
work society still faces many challenges 
on what constitutes acceptable behaviour 
on the network, e.g. intellectual property 
rights, privacy rights, responsibility for 
defamatory remarks, etc. It is the pro- 
posal of this article that the purpose of 



law is to serve individuals (including 
hackers) and organisations, hence the 
need to educate, understand, develop and 
follow legal constraints. 
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MS-DOS Partitions 



Recent investigations into MS-DOS based computers 
revealed some interesting information concerning the 
partitioning process, with important implications for 
forensic computer investigators. 



As most people will be aware, the 
idea of partitioning was introduced when 
the physical storage capacity of fixed 
disks began to exceed the electronic ca- 
pability of the operating system. 

The capacity limit of BIOS routines 
depends upon the size of the numbers 
used to access the disk at low level. Ad- 
dressing was usually via a Track, Head 
and Sector address and the relevant 
maxima for Track, Head, and Sector were 
1023, 15 and 63. 

Because Tracks and Heads (but not 
Sectors) were counted from zero this 
meant that the maximum number of 
addressable sectors was 1024 x 16 x 63 
or 1 ,032, 1 92. Since each sector was (usu- 
ally) capable of storing 512 bytes this put 
a top limit of 528,482,304 bytes. 

At the time when the original PC 
BIOS was developed this was felt to be 
more than sufficient for future needs. As 
engineering technology improved and 
disk sizes increased some modification 
of the BIOS increased the number of 
heads that it could handle from 16 to 256 
and thereby increased the maximum ca- 
pacity to 1024 x 256 x 63 sectors or 8 
Gigabytes. 

The operating system capacity how- 
ever, has a different limit by virtue of the 
fact that it needs to maintain an index of 
material stored on the disk. This is done 
by the 16 bit FAT system which main- 
tains a maximum of 65,520 blocks of 
space. 

The size of each block (or cluster) is 
set when the system is initially installed 
and depends upon the physical size of the 
disk. Thus for a small disk of around 1 00 
Megabytes, each cluster will be 2048 
bytes (or 4 sectors) and there will be 
around 49,000 of them. 

Whilst this system is extremely flex- 
ible, it is very inefficient in its use of 
space. For example if a file is created to 
contain only 40 bytes of information it 
will be allocated a single cluster and the 
remaining 2008 bytes would be unused 
by the file and unavailable to the system. 

As the size of the cluster increases, 



this inefficiency increases. Forensically 
this phenomenon can be useful since this 
slack space may contain information writ- 
ten to previous and long-since deleted 
files. 

The maximum cluster size acceptable 
to this 16 bit FAT system is 64 sectors or 
32 kilobytes and this places a maximum 
capacity of 65,520 x 32768 or 
2, 146,959,360 bytes (2 Gigabytes) on the 
operating system as a whole. 

The original PC BIOS boot routine 
was designed to address just the first sec- 
tor of a physical drive. The presence of a 

"The presence of directory 
fragments and their cluster 
number can be a vital link" 



four-entry partition table then allowed 
operating system software to access dif- 
ferent sections of the physical drive by 
partitioning the available space on the 
physical drive into a number of areas, 
each of which could contain a different 
operating system. 

Of course it is also possible to put the 
same operating system into several dif- 
ferent partitions and for MS-DOS this 
would mean that each partition would be 
treated by MS-DOS as a separate drive 
each accessible by a separate letter of the 
alphabet. Since the letters A and B were 
reserved for floppy drives, the letters C 
to Z were available for the other logical 
drives. 

In the first of the 
investigations men- 
tioned at the start of 
this article, the target 
machine was a laptop 
containing an 82 
Megabyte fixed drive 
with four MS-DOS 
partitions. 

The case involved 
alleged hacking and 
phone cloning. The 
first and second par- 



titions contained normal system and user 
software but nothing concerning the al- 
legations. 

A small amount of evidential mate- 
rial was extracted from active files on the 
third partition and the fourth partition (la- 
belled BLANK) was empty of active 
files. A search of the unallocated space 
on all four partitions revealed a little more 
material but nothing very substantial. 

However, on the second partition, 
there were traces of live subdirectory 
entries which contained the names of files 
which appeared interesting. Strangely 
these subdirectory entries were offset 
1024 bytes into each cluster rather than 
right at the beginning and when they were 
reformatted for display they indicated 
cluster numbers around 38,000, far 
higher than the maximum on any of the 
four partitions. 

Note that the primary entries in a 
subdirectory indicate not only the clus- 
ter number of the parent directory but also 
the number of the entry itself. The fol- 
lowing table indicates the overall parti- 
tioning scheme and the cluster sizes in 
each partition (See figure 1). 

It had been noted during initial ex- 
amination that the cluster sizes were unu- 
sual but note that the maximum cluster 
number on any drive was 14327. 

It was postulated therefore that what 
we were looking at were fragments of 
information from a time when the drive 
had been partitioned into a single drive 
with a cluster size of 2048 bytes. 

If that were the case, the fragments 
pointed to areas that were inside the 
fourth partition. A little patient calcula- 
tion and some adjustment for the incor- 
rect cluster offsets revealed a whole sub- 
tree of directories and several ZIP files 



Partition size 


Cluster size 


Maximum number of 
clusters 


29 Mbytes 


2048 


14327 


2 0 Mbytes 


4096 


9765 


13 Mbytes 


4096 


3173 



Figure 1 
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which were for the most part 
unfragmented. 

These were extracted and examined 
and provided a wealth of evidence to sup- 
port the charges. It also happened that 
one of the files contained a utility to re- 
partition a disk without losing live data. 

When tested, it became apparent that 
this had been used on the machine and it 
was this which had produced the unusual 
cluster sizes. 

The other investigation illustrated the 
other condition - where a multiple parti- 
tioned drive had been reconfigured to a 
single partition. Case information indi- 
cated that the drive had been re-format- 
ted at least twice and system software re- 
installed each time. 

Examination showed that the typical 
0F6h filler byte had been written to all 
clusters above 13,000 or so. However, 
these filler bytes did not extend right to 
the end of the drive. Above where the 
filler bytes ended, fragments of live sub- 
directories were found. 

The entries were again at an incor- 
rect offset but this time pointed to much 
lower cluster numbers. Translation cal- 
culations were completed and this time 
indicated that at some time in the past, 
the drive had had a final partition of 
around 10 Megabytes. 

Most of the files in this partition were 
intact and were recovered, providing ex- 
cellent evidence. The history appeared to 
be that the drive was originally parti- 
tioned into two logical drives and the first 
drive had been unconditionally format- 
ted without removing the original Mas- 
ter Boot Record. 

This may have happened more than 
once. Later the MBR had been destroyed 
- thus removing the partition table - and 
the whole drive was then repartitioned 
and reformatted, this time with an ordi- 
nary format. Thus the contents of the fi- 
nal section (the original 10 Mbyte parti- 
tion) remained for examination. 

It is rarely necessary to go to such 
lengths as are described above to recover 
relevant information, but in cases where 
there is no evidence in live files and only 
tantalising fragments in unallocated or 
unpartitioned space, the presence of di- 
rectory fragments and their associated 
cluster number can be a vital link in the 
evidential chain. 



Ijr Tsually it arrives in the email inbox 
1 1 with a long list of email addresses 
of fellow recipients, with a short 
note that begins "I just received this..." 
and continues: "perhaps you want to pass 
this warning on to others" or "is this for 
real?" or "please take note." 

The text continues along these lines: 

"WARNING! !!!!! If you receive an 
email titled "JOIN THE CREW" DO 
NOT OPEN IT! 

"It will erase EVERYTHING on your 
hard drive! Send this letter out to as many 

people you can this is a new virus and 

not many people know about it! 

"This information was received this 
morning from IBM, please share it with 
anyone that might access the Internet... 
(etc.)" 

This is categorically a hoax. There are 
several sites on the Internet that explain 
the different hoaxes and myths, one be- 
ing: 

http://ciac.llnl.gov/ciac/ 
CIACHoaxes.html. 

Let me also state flatly that you can- 
not get a computer virus simply by read- 
ing email. 

However, you can if someone sends 
you a file as an attachment, and it is a 
Microsoft Word file. If this file has the 
"concept" or a related macro vims, your 
version of Word can be infected. 

The solution here is to view any word 
documents in WordPad (the Windows 
Notepad that comes with Windows 95), 
or to get a program such as F-PROT that 
will detect such Macro viruses (F- 
MACROW will remove them) and check 
the attached file first. 

(See http://www.datafellows.net) 

Also, if someone sends you an execut- 
able file as an attachment, be suspicious 
(singing or musical greetings cards or 
animations can be infected with a virus), 
if in doubt it is probably better to delete 
these unless you expect that they contain 
valuable information. Or, at the very 
least, scan them first with a recent ver- 
sion ofF- PROT. 

It has been said that more time is 
wasted over false alarms about viruses 
than by the real things, while the Con- 
cept macro viruses that target Microsoft 
Word and Excel programs are the most 
widespread viruses around these days. 



But, to repeat, simply opening and 
reading an email cannot infect a compu- 
ter system. If you use a recent version of 
an Internet browser, you will be alerted 
if there is any activity that might be dan- 
gerous. 

Embedded ActiveX controls were a 
case in point, even if Microsoft has now 
suspended its ActiveX work. 

This was the "feature" that caused 
visitors to certain alleged porn sites to 
have their modems disconnect and then 
place a long-distance phone call to 
Moldavia. This was started as a prank, 
but the perpetrator has had to reimburse 
the thousands of victims in a recent US 
court ruling, (see news pages). 

The fact is that personal computing 
is more hazardous today in an increas- 
ingly interconnected world, and it can be 
difficult for novice users to determine 
what is a potentially dangerous activity 
and what is not. 

Reading email is not, casually open- 
ing a Word attachment can be. 

Finally, it is worth downloading F- 
PROT now anyway. This is free, for the 
DOS version, at least. Use it to check out 
your system. 

If it finds a known virus infection, it 
will either shut down (if the virus is ac- 
tive in memory) so that the anti-virus pro- 
gram itself does not get infected, or if it 
is safe to run, it will pinpoint any infected 
files (which it will clean or disinfect for 
you). 

Secondly, if you do have a virus in 
memory, you may well need to start the 
computer from a known, clean floppy 
disk. Making one should be the first thing 
you do after you buy a new computer 
system. 

Get a blank, unformatted floppy disk, 
and place it in drive A. 

Type format a:/s which will transfer 
the system files. Label this RESCUE 
DISK, along with the version ofDOS you 
have, and at least you will be able to start 
your system in a known clean state 
(which it should be in when you buy it), 
for troubleshooting later. 

And tell anyone who sends you warn- 
ings about the "GOOD TIMES VIRUS" 
or "AOL4FREE" or "JOIN THE 
CREW" not to worry. 

By Tony Waltham 
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Forensic Q 



Q During a search of an MS-DOS par- 
tition, I discovered what appeared 
to be the remains of a subdirectory 
cluster. Amongst those entries which 
were intelligible I found an entry 
which was exactly similar in every 
respect (including the starting clus- 
ter number) with another entry in a 
"live" subdirectory. How can this 
happen and is there any special sig- 
nificance to this? 

A It is quite usual to find traces of 
previous subdirectory clusters in both 
unallocated and slack space. 

There are a number of reasons 
why this happens apart from the ob- 
vious one where a subdirectory has 
simply been deleted. Perhaps the disk 
has been defragmented at some time 
in the past. 

If defragging is done without the 
wipe option, when a subdirectory is 
moved (i.e. copied) the original copy 
is left until something else is written 
to that space. 

You do not say if the subdirectory 
entries were marked as deleted (with 
the first character changed to 0E5h). 
This is important because in MS-DOS 
a subdirectory cannot be removed un- 
til all the entries in it have been re- 
moved or deleted. 

During defragging, individual en- 
tries are not "deleted" so if this is how 
your entries appear it may be the re- 




sult of a defrag operation. 

Under these circumstances, fairly 
obviously if the starting cluster is the 
same then the file must have been 
moved before the subdirectory. 

However, if the matching entry is 
marked as deleted, this may be the 
result of a file move (rather than 
copy) operation. For example : within 
Windows' File Manager if a file is 
dragged from one subdirectory of a 
disk to a different subdirectory of the 
same disk the instruction is to move 
rather than copy the file. 

The move process does not actu- 
ally copy the file contents to a new 
location, instead it marks the original 
subdirectory entry as deleted and 
then creates a matching entry in the 
new subdirectory. Thus the result of 
such a move leaves two identical en- 
tries (apart from the first character) 
on the disk. 

The significance of such obser- 
vations must be taken in context but 
the presence of fragments of 
subdirectories might be useful in de- 
termining a sequence of events on a 
machine, particularly when compared 
with the results of cluster analysis. 

Q Precisely what legal significance 
can be attached to the dates and 
times on files? 

A The short answer is none. The date 




and time of a file as recorded in the 
subdirectory entry is too easily 
changed without trace for it to be of 
any evidential value (particularly in 
16 bit arenas). 

You should also remember that 
when a file is copied, its date and time 
travel with it. However, a series of files 
within a subdirectory, containing simi- 
lar dates but ascending times might 
be indicative of a multiple file 
downloading or copying session. 

Analysis of the time differences 
between adjacent files compared to 
their respective lengths might even 
give some indication of the speed of 
the download. 

It should also be mentioned that 
subdirectory dates and times are more 
difficult to change because when a 
subdirectory is created the current 
system date and time is written to 
three separate places. 

Thus during a chronological 
analysis of a disk structure under MS- 
DOS, more weight should be given to 
the dates and times marked in 
subdirectory entries than those as- 
sociated with files. 

Once again, cluster analysis might 
help by highlighting any anomalies 
within the structure. 

Q What is an "orphaned cluster"? 

A In MS-DOS, when a file is deleted the 
normal sequence of events is to first 
change the first character of the 
subdirectory entry to 0E5h (ASCII 
code 229) and then clear the chain of 
entries within the File Allocation Ta- 
ble back to zero to make them avail- 
able again to the MS-DOS space allo- 
cation system. 

Sometimes, after the subdirectory 
entry has been changed, the FAT is 
not cleared. This may be as a result 
of an unsynchronised cache buffer 
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or some misbehaviour within an al- 
ternative processing thread. The re- 
sult leaves the original cluster chain 
still marked as allocated within the 
FAT but there is no associated own- 
ing file entry. 

There is thus no way that MS- 
DOS can recover the space. The pro- 
gram CHKDSK has an option (using 
/v) to recover such orphaned clus- 
ters (Microsoft call them "unallocated 
chains") into files named with a char- 
acteristic FILE????.CHK where the 
???? is a sequential number. 

These recovered files will always 
be an exact number of clusters long 
and will appear in the root directory. 

Once the chains have owning en- 
tries they can of course be deleted to 
recover the disk space. 

Do not attempt to recover or- 
phaned clusters on the evidential ma- 
chine because the root directory en- 
tries may overwrite valuable evi- 
dence, do so instead on a rebuilt im- 
age of the logical drive. 

Note also that there is a limit to 
the number of entries that the root 
directory will hold. Recovering large 
numbers of orphaned chains can over- 
flow the root directory and prevent 
further recovery. 

Q I have a number of ZIP files contain- 
ing material which may be of inter- 
est on a particular case. When I at- 
tempt to UNZIP them I get a mes- 
sage saying : (( Warning - skipping 
encrypted file!" How can I recover 
these files? 
A The short answer to your question is 
- you can't! 

When creating ZIP archives, the 
PKZIP program has an option to 
encrypt each file with a password pro- 
vided by the user. 

Once zipped, these files cannot be 
unzipped without the password. 
There are a number of so-called Zip- 
cracker programs which will conduct 
a brute force decryption by trying all 
possible passwords until they find the 
one that works. 

This approach will succeed but the 
problem is how long it takes to gener- 
ate the test passwords. For example: 




PKZIP will theoretically accept any 
of 25 1 different characters in a pass- 
word. 

So if the password were only 1 
character long there would be 251 
possibilities. With a password length 
of 2 characters there would be 25 1 x 
251 possibilities and length 3 would 
have 251 x251 x251 possibilities. 

Thus the formula for how many 
possible passwords there are of 
length P^erc becomes : 25l PWLen . As 
the password length increases this 
becomes a very large number as may 
be seen in the table (figure 1). 

As may be seen from the times 
listed in the third column, this proc- 
ess can take an enormous length of 
time. Reducing the number of char- 
acters which may probably be in the 
password to 95 (26 lower case letters, 



26 upper case letters, 10 digits and 33 
symbols/punctuation marks) and ar- 
ranging for several computers to work 
simultaneously on sections of the 
problem will reduce the times in- 
volved and knowing some of the prob- 
able characters is also a help. 

However, this approach is gener- 
ally impractical. Another approach in- 
volves testing millions of known 
words (a dictionary attack) - as noted 
above 15 million words can be tested 
in less than two minutes. 

This will of course fail if the pass- 
word is not a recognised word. 

There are also certain 
cryptanalytic techniques that have 
been successfully applied in certain 
cases but these are outside the scope 
of this journal. 



Length of 
password 


No of possibilities 


Time to generate all 
possibilities @ 150,000 per 
second 


1 


251 A 1 =251 




2 


251 A 2=63,001 


0.42 seconds 


3 


251 A 3=15,813,251 


1 minute 45 seconds 


4 


251*4=3,969,126,001 


7 hours 21 minutes 


5 


251*5=9.96 x 10 A 11 


7 6 days 2 0 hours 54 minutes 


6 


251*6=2.5 x 10*14 


52 years 3 01 days 


7 


251*7=6.28 x 10*16 


13,259 years 


8 


251*8=1.57 x 10*19 


3 , 328, 086 years 


9 


251*9=3.95 x 10*21 


835, 349, 596 years 


10 


251*10=9.92 x 10*23 


2 x 10*11 years 



Figure 1 ( A denotes "to the power of) 
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Space trashers | Books 



I have recently been asked for com- 
ments and observations on a number of 
programs which in various ways try to 
prevent the operating system from leav- 
ing traces of user files dotted around the 
fixed disk in unallocated and slack space. 

Marketed as "security software", 
these programs offer positive file dele- 
tion, slack space clearing and even swap 
file sanitation amongst their options. 

Some require operator action whilst 
others can be installed as active back- 
ground applications which monitor sys- 
tem activity and positively wipe any tem- 
porary or redundant file content. 

In some cases the overwrite options 
offered would support a paranoia which 
would do credit to a third world dictator. 
Fairly obviously such programs may oc- 
casionally cause difficulty for forensic 
investigators if it transpires that a case 
needs a detailed analysis of unallocated 
space to determine a possible sequence 
of recent activities. 

However, since more than 95 per cent 
of cases on my records have had no need 
of such analysis, the loss of deleted ma- 
terial should not cause too many prob- 
lems. The majority of the remainder in- 
volved corporate users where employees 
had been using company facilities to con- 
duct unauthorised or even downright il- 
legal activity. In such cases, tracing re- 
cent activity might be vital to the investi- 
gation. 

What does concern me is the extraor- 
dinary lengths that the software vendors 
will go to in order to destroy information 
in the name of security. All of the pro- 
grams that I have seen will positively 
erase deleted files. 

Most of them will remove deleted 
filename entries, some will clear slack 
space and some will even clear the swap 
file contents. The methods of positive 
erasure range from a simple overwrite with 
zeroes through to multiple pattern 
overwriting of such content and complex- 
ity that the oxide coating might fare bet- 
ter being scrubbed with a wirewool pan 
scourer. 

The incidence of computer theft is 
increasing and it makes sense for indi- 
viduals to protect their data from prying 
eyes in the event that the hardware is 
stolen. But if the data is so valuable, why 
risk getting it stolen in the first place? 



By Jim Bates 



I would have thought that money 
could be better spent on proper security 
measures to protect the hardware. Even 
with space trasher programs, the active 
file content still remains and a thief is 
easily going to access it unless some se- 
cure password system is in use. 

The spectre of computer wizards bus- 
ily hacking into stolen computers to re- 
trieve priceless information may be use- 
ful to sell software but simply doesn't 
match real life. I have had one case in 
seven years where deleted material was 
retrieved and used for criminal purposes 
and that was on a second hand machine 
that hadn't been cleared properly. 




Is it just my suspicious mind that sees 
a ready market for such programs 
amongst the irresponsible users who are 
aware that their computing activities are 
illegal and wish to keep them concealed? 

Perhaps corporate users might con- 
sider this and think about the effect within 
their internal security departments. The 
use of space trashers leaves quite clear 
traces on a machine and if a company 
had decided to outlaw their use, the mere 
presence of such traces might itself con- 
stitute evidence that there was some- 
thing to conceal. 

For home users, the installation of 
such "security software" might give them 
a warm feeling of comfort and safety, but 
on already overloaded systems is it re- 
ally worth the effort? These program do 
have a place - perhaps in certain govern- 
ment or corporate departments on ma- 
chines carrying extremely sensitive ma- 
terial located in areas where there is an 
unavoidable risk of theft or illegal access. 
Otherwise, scrub it! 

Jim Bates is president of the Insti- 
tute of Analysts and Programmers, UK. 



30 Minutes to Master the Inter- 
net, by Neil Barrett, 64pp, £3 

Advertising on the Internet, 
by Neil Barrett 127pp, £9.99 

Kogan Page Limited, 120 
Pentonville Road, London Nl 9JN 

Neil Barrett is infamous in the com- 
puter security world as a "poacher turned 
gamekeeper". He learnt the secrets of the 
trade from the other side as a hacker, and 
now uses his acquired knowledge to ad- 
vise others on how best to protect against 
such cyber attacks. 

In his latest two works he is again dis- 
cussing the power of the Internet, but this 
time he is aiming at a domestic and less 
expert readership. 

While these two books are too basic 
to have much direct relevance to compu- 
ter forensics, they are nevertheless use- 
ful to some degree to police and investi- 
gators who are just starting out in the field 
and need solid information that is easily 
digested. 

The title of 30 Minutes To Master the 
Internet is a bit of a misnomer, but the 
book does give a good, if very basic, 
grounding of the Net. It discusses com- 
puters, modems and connection software 
as well as the various aspects of the In- 
ternet such as file downloads, e-mail and 
newsgroups. 

Anyone who can already use the In- 
ternet satisfactorily will find little new 
information in this slim 64-page volume, 
but for the complete novice it is fine. 

Advertising on the Net is interesting 
reading for anyone who has their own 
web page. As the Internet develops, it's 
important for all users to gain the maxi- 
mum benefit from the wider audience and 
that means making themselves as high- 
profile as possible on the Net, 

This not only applies to commercial 
organisations who stand to make money, 
but also to police forces and government 
bodies who have web presences so they 
increase the number of "visitors". 

The book covers a reasonably wide 
area, from links, content and style to 
"push technology" and web applets. It is 
written firmly with the non-technical 
reader in mind, but the downside to this 
is that it is also lacks absolute detail for 
those who want to go a step further. 
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Notice Board 



We will be pleased to receive contributions to 
this page. Please mark all correspondence 'No- 
tice Board 5 . We reserve the right to edit if re- 
quired. 



Events 



Surviving the Year 2000 
Problem: Audit's Role 

12-13 January 1998 
Cumberland Hotel, London 
15-16 January 1998 

Serzel Plaza Hotel, Stockholm 

This briefing is designed for IT and 
Internal Audit Management. 

The briefing will take delegates 
through the steps which can be taken to 
help organisations prepare for the mil- 
lennium change. 

Topics will include the legal and pro- 
fessional ramifications of ignoring the 
year 2000 problem; strategies for gain- 
ing corporate support for additional re- 
sources; and a methodology for assess- 
ing the impact and risks the year 2000 
problem will have on organisations. 

Delegates will identify the resources 
and tools available to help their organi- 
sations' computers become century com- 
pliant. 

The briefing leader is Michael T 
Curtiss, a senior consultant of MIS Train- 
ing Institute. Previously, Mr Curtiss held 
technical and management positions with 
Rockwell International, First Chicago, 
and Citibank. As world-wide manager for 
image business development at Unisys 
Corporation, he was one of the pioneers 
in the development of image technology. 

Contact: MIS Training Institute 

Tel: +44 (0)171 779 8944 

Fax: +44 (0)171 779 8293 

E-mail: drosen@misti.com 

International Conference on 
Forensic Document (ICFD 
9 98) 

20-22 January 1998, Bangalore, 
India 

Papers will be presented on the fol- 
lowing topics: Identification of Signa- 
tures and Handwriting, Obliterations, 
Erasures, Alterations and Additions, 
Application of Principles ofPattern Rec- 
ognition to the Science of Handwriting 
Identification, Problems and Identifica- 



tion of Printed Matter, Type-scripts and 
Computer Printouts, Travel and Immigra- 
tion Documents, Plastic Money and 
Credit Cards (their use and misuse), 
Computer Forensics, Age of Documents, 
with particular reference to ink and pa- 
per and bank and insurance frauds. 

Contact: Dr R K Tewari, Bureau of 
Police, Research & Development 

Tel: +91 11 436 2676 

Fax: +91 11 436 2425 

Internet Executive Summit 

2- 4 February 1998 

McLean Hilton, Washington DC, US 
Contact: +1 202 973 8693 

Corporate Intranet 98 
Creating the Networked 
Digital Enterprise 

3- 4 February 1998, London 

This international conference, which 
explores the corporate impact and future 
of web technology, will present 
Masterclasses on Intranet Implementa- 
tion and Security Policy, Panel Discus- 
sion Sessions, WWW Discussions. 

Contact: Business Intelligence Ltd 

Tel: +44 (0) 181 879 3399 

Fax: +44 (0)181 879 1122 

Fraud - Developing a 
Proactive Role for The 
Internal Auditor 

9-10 February 1998, London 
with Post-conference workshop: 
Effectively Investigating Computer 
Fraud and Colating Useful Evidence 
11 February 1998, London 

The conference promises a unique 
opportunity to discover practical tech- 
niques and strategies which will focus on 
the key internal controls and procedures 
to help delegates successfully combat 
fraudulent activity. 

Sessions include: Creating and Main- 
taining a Successful Anti-Fraud Culture 
Within Your Organisation; Examining the 
Pros and Cons of Fraud Policy Docu- 
ments; Highlighting the Common (And 
Not So Common) Early Warning Signs 
of Fraudulent Activity and Using Them 
to Effectively to Allocate Your Re- 



sources; Identifying Potential Fraudsters 
at an Early Stage. 

The Workshop will be lead by 
Edward Wilding, senior consultant in the 
Computer Forensics Department ofNet- 
work Security Management. 

Edward Wilding specialises in com- 
puter forensics; computer evidence; the 
use of intelligence management systems 
to support investigations into money 
laundering and intellectual property in- 
fringement. 

He manages the Computer Forensic 
Response Team which gathers and analy- 
ses computer evidence in civil and crimi- 
nal cases. 

Programme topics are: Legal Consid- 
erations, Identifying the Issues Associ- 
ated With High-tech Computer Fraud and 
Abuse; Scene of the Crime: Getting to 
Grips With the Procedures Which Must 
be Initiated Immediately; Understanding 
the Intricacies of Computer Back-Up 
Methods; Evaluating the Need For Cov- 
ert Investigations; Identifying the Key 
Considerations of the Main Corporate 
Operating System and Abuse and Mis- 
use Associated with the Internet, Main- 
frame, Minicomputer and Network. 

Contact: IIR Ltd 

Tel: +44 (0)171 915 5182 

Fax: +44 (0)171 393 0313 

IT Auditing and Controls: 
Integrating the Auditor 
9-10 February 1998, London 
Auditing Automated 
Business Applications 

11-13 February 1998, London 
Contact: MIS Training Institute 
Tel: +44 (0)171 779 8944 
Fax: +44 (0)171 779 8293 

Integrated Communications 
98 and Sraarteard 98 
17-19 February 
Olympia 2, London 
Contact: +44 (0)1895 454438 

Internet World UK exhibition 
May 12-14 
Olympia 2, London 
Contact: +1 (0)1865 388000 
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